Telegram Zero-Day for Android Allowed Malicious Files To Masquerade as Videos (therecord.media) 7
Researchers have identified a zero-day exploit for the Telegram messaging app on Android devices that could have allowed attackers to send malicious payloads disguised as legitimate files. From a report: The exploit was built to abuse a vulnerability that Slovakia-based firm ESET dubbed EvilVideo. Telegram fixed the bug earlier this month in versions 10.14.5 and above after researchers reported it. Threat actors had about five weeks to exploit the zero-day before it was patched, but it's not clear if it was used in the wild, ESET said. ESET discovered the exploit on an underground forum in early June. It was sold for an unspecified price by a user with the username "Ancryno." In its post, the seller showed screenshots and a video of testing the exploit in a public Telegram channel.
In unpatched versions of Telegram for Android, attackers could use the exploit to send malicious payloads via Telegram channels, groups and chats, making them appear as multimedia files. The exploit takes advantage of Telegram's default setting to automatically download media files. The option can be disabled manually, but in that case, the payload could still be installed on the device if a user tapped the download button in the top left corner of the shared file. If the user tried to play the "video," Telegram displayed a message that it was unable to play it and suggested using an external player. The hackers disguised a malicious app as this external player.
In unpatched versions of Telegram for Android, attackers could use the exploit to send malicious payloads via Telegram channels, groups and chats, making them appear as multimedia files. The exploit takes advantage of Telegram's default setting to automatically download media files. The option can be disabled manually, but in that case, the payload could still be installed on the device if a user tapped the download button in the top left corner of the shared file. If the user tried to play the "video," Telegram displayed a message that it was unable to play it and suggested using an external player. The hackers disguised a malicious app as this external player.
Relying on Pavlovian response (Score:2)
Re: (Score:2)
Indeed. Personally, as a security expert, I avoid it, but it takes constant reminding myself because it has gotten so prevalent. The whole user-experience is really borked with regards to security and there is always somebody willing to exploit that.
Re: (Score:3)
there's a nuance, though.
the approach itself is even shabbier than that, this explicitly asks for a player to be downloaded and installed on the device to display a random video on an app that routinely ... displays videos out of the box: https://www.youtube.com/watch?... [youtube.com]
but while the mere proposal is a huge red flag, the prompt does seem to be from the telegram app which people will tend to automatically trust (i guess i actually is, and that's why this was a zero day exploit).
Re: (Score:2)
Not on TG. That thing has an excellent built in media player. And due to its heavy focus on freedom, there's enough crypto etc nonsense on it that most users know not to follow anything that pretends to be a video and then is actually a link outside telegram. You just assume it's another crypto scam among hundreds of others and move on.
Re: (Score:2)
Not on TG. That thing has an excellent built in media player. And due to its heavy focus on freedom, there's enough crypto etc nonsense on it that most users know not to follow anything that pretends to be a video and then is actually a link outside telegram. You just assume it's another crypto scam among hundreds of others and move on.
Yea, I would suspect a TG user to be a bit more aware and less likely to fall for such a scheme; however even the most tech savvy user is not immune from a temporary moment of stupidity; sometimes the easiest to fill are those who think they are too smart to be fooled. Also, I would guess not all TG users are at the same level of sophistication.
One interesting thing is TG is open source, and one of te arguments for OS is it is more secure since many eyes look at the code; I guess the downside is not all e
Re: (Score:2)
It's not just that. You can use a different Telegram client. There are quite a few.
Correction (Score:2)
It seems like, data file demands user download a Trojan application. Auto-configure and install has been part of OSs for many years: That's why computing devices have an anti-virus. This isn't a new attack vector, this is a failure of the OS.