“Telegram reached 950 million monthly active users,” its CEO Pavel Durov announced on his channel on July 22. “Up from 900 million in the spring—on track for ONE BILLION!” Exciting stuff—but with a catch. Also on July 22, cyber firm ESET warned it had found a (since patched) zero day targeting all those users. In itself not news, but with Telegram being one of the world’s leading marketplaces for just such exploits, this seems a clear case of what goes around, comes around.
First to that zero-day. ESET’s research team discovered the exploit for sale on an underground forum a month ago. The malware targeted Android users and disguised its payload within a 30-second video clip. As users received the video attachment in a message or channel, it downloaded to their phones. This auto-download is Telegram’s default unless and until manually changed. The video would not play when clicked, but would offer a dialog box instead. Clicking “Open” triggered the install. You should change the default media file download setting on all your messaging apps.
ESET found the attack in late June, dubbing it “EvilVideo.” It disclosed this to Telegram, which deployed a fix by July 11. “The vulnerability affected all versions of Telegram for Android up to 10.14.4, but has been updated as of version 10.14.5.”
I have approached Telegram for any comment on the vulnerability.
This isn’t the most sophisticated zero-day we’ve seen this year, not even this month. But it’s interesting because of the sheer irony. As one cyber report warned earlier this year, Telegram is now “a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims’ data. Free samples, tutorials, kits, even hackers-for-hire—everything needed to construct a complete end-to-end malicious campaign.”
Its dangerous marketplace is one issue, its lack of default end-to-end encryption an even bigger one, as was highlighted in its very public splat with secure messenger Signal back in May. But warnings about Telegram’s security veneer have been issued repeatedly for years. Clearly, that’s not slowing growth.
“Telegram has become the go-to app for heroin, guns, and everything illegal, Fortune warned last month. While a few weeks earlier, The FT likened the platform to the dark web, with one source telling the newspaper “Telegram is social media for organized criminals—It’s virtually the wild west out there.”
And so we’re left this week with a sharp sense of irony and a stark realization that none of this has yet applied any kind of brake to Telegram’s surge. In 2016, Gizmodo warned “why you should stop using Telegram right now… The supposedly secure messaging app, has over 100 million users. You might even be one of them. If you are, you should probably stop using it right now… It’s not as secure as the company’s marketing campaigns might lead you to believe.”
Little has changed—apart from the small matter of those 900 million additional sign-ups, of course. And so that awkward combination of dark web marketplace and flighty social media slash messaging app continues unabated. Users beware…