A stark new warning today, with millions of you exposed as a malicious new threat exploits Telegram to target you with dangerous malware—even if you’re not a user. If you’re hit by this cyber attack, you risk data theft, spyware, ransomware and even a complete system takeover. Here’s how to check if you’re infected.
Last year, Telegram’s Pavel Durov, warned that “using WhatsApp is dangerous.” But now that provocative attack has come back to bite. A new security report, issued today, warns of “a growing cyber threat where hackers use Telegram, the instant messaging app with over 500 million active users, as a command and control system.”
Durov’s WhatsApp warning focused on hacks to the Facebook-owned messenger itself, where, he said, backdoors had been planted to extract user data. He also cautioned WhatsApp users over the lack of end-to-end encrypted backups. These were very targeted, very specific attacks, perpetrated by sophisticated threat actors.
On a wider scale, the use of messengers to spread malware is not new. Earlier this month, Check Point warned that a rogue Netflix security-bypass app on Google’s Play Store was abusing Android’s “Notification Listening Service” to intercept incoming WhatsApp messages on victims’ phones, and then automatically reply to those messages with dangerous, malware-laced attachments and links.
Clearly, Telegram has that same risk—any messenger can be exploited to send dangerous messages, attachments and links, and you should always be wary of links and attachments, even if they appear to come from friends. But there are much more serious dangers with Telegram that can’t be mitigated by a user’s common sense alone.
Telegram is significantly more complex than its direct rivals, the likes of Facebook Messenger, WhatsApp, iMessage and Signal. Its architecture now serves more than 500 million users, through a spider’s web of connected endpoints and its own cloud back-end. It provides seemingly limitless groups and channels, and a range of other sophisticated features, including its own “bot platform.”
As Telegram explains, “bots are simply Telegram accounts operated by software—not people—and they’ll often have AI features. They can do anything—teach, play, search, broadcast, remind, connect, integrate with other services, or even pass commands to the Internet of Things.” Unfortunately, that’s not all those bots can do.
Check Point, which also issued this new Telegram warning, says it has “tracked 130 cyber attacks that used malware managed over Telegram by attackers in the last three months… Even when Telegram is not installed or being used, it allows hackers to send malicious commands and operations remotely via the instant messaging app.”
The malware itself is not spread by Telegram messages—which its why, as Check Point says, it doesn’t matter whether you have it installed or not. The threats are sent to users through simple email campaigns. But once a crafted email attachment is opened on a user’s Windows PC, the bundled Telegram bot manages the links back to the attacker’s command and control server, managing the attack.
As Check Point says, “the popularity of Telegram-based malware aligned to the growing usage of the messaging service worldwide” has become a “growing trend,” a trend that’s getting ever worse. “Dozens of new types of Telegram-based malware, have been found as ‘off-the-shelf’ weapons in hacking tool repositories on GitHub.”
Telegram brings several benefits to attackers and their campaigns—primarily that the platform is known and trusted and so will evade many defences. “Telegram is a legitimate, easy-to-use and stable service that isn’t blocked by enterprise anti-virus engines, nor by network management tools,” Check Point says.
Beyond that, an attacker can easily create a new bot without disclosing identifying information, making attribution and interception much harder. Telegram’s install-base is also vast and growing quickly, enabling attackers “to use their mobile devices to access infected computers from almost any location globally.”
This threat vector is not new. Such use of Telegram bots goes back years. But, as Check Point has now clearly shown, despite this the problem has not been addressed. “We believe attackers are leveraging the fact that Telegram is used and allowed in almost all organizations, utilizing this system to perform cyber attacks, which can bypass security restrictions,” says Check Point’s Idan Sharabi.
The specific malware identified by Check Point is “ToxicEye,” a new remote access trojan, or RAT. Not only can this RAT steal data or begin a ransomware lockup of a user’s files, it can even hijack the mic and camera on a PC. Windows users can search for “C:UsersToxicEyerat.exe” on their systems to see if they have been infected.
If you have that file, then you need to delete it and take immediate advice from your company’s IT support desk if this is a work machine. If it’s on a PC at home, then make sure you install and run a high-quality antivirus program as soon as you can.
Sharabi told me that both individuals and organisations are at risk from these Telegram-enabled attacks, suggesting that “Telegram communications can be blocked in order to protect against this type of threat. Each individual or security admin should remediate this threat based on their desired security policy.”
Straight Talking Cyber | Apple Vs Facebook & Google
Welcome to Straight Talking Cyber, Forbes’ new cybersecurity video series. We go behind the headlines on the major issues impacting you and users around the world, focusing on what you really need to know.
Of course, the other critical advice is the same-old “don’t open email attachments,” unless you’re sure of the sender and message. These attacks were on Windows PCs, and you should be running some form of security software in any case.
There are other security risks with Telegram, of course, impacting the more than half-billion users the platform has now secured. Users must always remember that Telegram is not end-to-end encrypted by default, and as such its security is weaker than WhatsApp and iMessage, to say nothing of Signal. Switching from WhatsApp to Telegram, as I’ve said before, makes no sense as a security measure.
Check Point says it did not disclose the latest findings to Telegram, given there is no vulnerability in the messenger’s software—this is exploitation of a legitimate function for malicious purposes. Even so, I reached out to Telegram ahead of publication to ask whether any mitigations are going to be added to the platform. This is a known issue and its bots are clearly rife for abuse, leveraging Telegram’s good name to evade individual and organisational security measures.
“Given that Telegram can be used to distribute malicious files,” Sharabi warns, “or as a command and control channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”
As such, this attack vector needs shutting down or organisations should look hard at prohibiting Telegram on their networks too mitigate the risk, and the implications from that would be dire for Telegram and its hundreds of millions of users.
The messaging battle continues and promises to heat up again next month, when Facebook’s forced change of terms for WhatsApp users kicks in. “Nobody ever invited Big Tech to join a group chat,” Signal tweeted this week, in a thinly veiled attack on WhatsApp, “but they still hang around and know what’s going on. Signal knows nothing. Private groups protect your group names, group membership, group messages, and even the group avatar with end-to-end encryption.”
But perhaps the clearest illustration of the different security approaches came from Signal’s handling of Cellebrite this week. Late last year, the security firm that develops software to exfiltrate data from devices through a physical connection boasted that it had added Signal to its target list. Signal pushed back hard at the time.
Now, Signal has gone a step further, claiming serious vulnerabilities with Cellebrite’s software that could put its users at risk. More importantly, Signal’s blog suggests it can prevent its user data being compromised be exploiting weaknesses in the exfiltration software. I have reached out to Cellebrite for any comments on Signal’s new claims.
If you’re a user who values security and privacy, then looking at all of this recent news flow, you can certainly see why switching to Signal makes sense.