Instant messaging service Telegram has been one of the recent targets of ill-intentioned hackers that seeks to build a swarm of devices spending their power, energy and megabytes in favor of mining cryptocurrencies like Zcash and Monero for them.
According to a report issued by multinational cybersecurity company Kaspersky Lab, the attackers took advantage of a ‘zero-day’ vulnerability, that is, a flaw in security made public but not patched quickly enough, thus allowing hackers to exploit it in order to affect software and hardware negatively. Such security hole was found in the desktop app of the popular Russian messenger, and it was used to spread malware that could act as a backdoor or as an unwanted mining software.
It continues by explaining this vulnerability “has been actively exploited since March 2017”, and it is taking advantage of the Right-to-Left Unicode method, a language encoding standard mostly used for Arabic or Hebrew, since their writing is done from right to left. By using a hidden character that reverses the order of the characters in the file name, users are deceived into downloading and installing malicious programs on their computers.
Next, as per the report, the attacker gains remote access to the victim’s PC and began operating “in a silent mode”, thus allowing them to execute various commands such as installing spyware tools or mining software for different types of cryptocurrencies. Kaspersky’s research indicates cybercriminals are probably from Russia.
Moreover, the anti-virus provider stated Telegram wasn’t the only vulnerable messaging app. Last month, the also popular WhatsApp was exploited in order to steal messages, an issue also discovered by the Russian cybersecurity firm.
Kaspersky notified Telegram of the security flaw and since then, there have been no reports of this hole being exploited again.
Nature of the attack deemed as “social engineering”
In one of Telegram’s community channels, it was explained that said vulnerability was not a real flaw on the desktop app, but rather a work of social engineering, emphasizing that “(…) no one can remotely take control of your computer or Telegram unless you open a malicious file.” The statement clarifies that the attack was in fact, “a .js file hidden on a .png file,” that users must open and click on the Run dialog to have it working on their computers.
This explanation was forwarded by Telegram’s founder Pavel Durov, who also warned that antivirus companies should be more careful when issuing these kind of reports, “as they tend to exaggerate their findings to get publicity in mass media.”