Telegram zero-day used to spread cryptomining malware

The zero day is exploitable through the way the app's Windows client manages a Unicode character that reverses the direction of text. A JavaScript file disguised as an image file is used to deploy malware.
Telegram app, WhatsApp
(Getty Images)

A zero-day vulnerability in the popular encrypted messaging app Telegram has subjected affected users to remote cryptomining for months, according to research released Tuesday by Kaspersky Lab.

The vulnerability is in the chat app’s Windows client, Kaspersky researcher Alexey Firsh writes. The weakness specifically is in the way Telegram deals with a Unicode character that reverses the direction of text in the app. A hacker sends a victim what appears to be a .png image attachment. As a result of trickery with the Unicode character, it is actually a JavaScript file that installs malware on their system.

Kaspersky found that the vulnerability has been exploited to mine cryptocurrency such as Monero, Zcash and Fantomcoin on a victim’s computer. In some cases, the zero-day was used to deploy spyware or remote control malware.

Firsh writes that Kaspersky doesn’t know exactly which versions of Telegram have been affected in the past, but that the exploitation in its Windows client has been going on since March 2017. All exploitation cases that Kaspersky detected occurred in Russia, which suggests that only Russian hackers have exploited the vulnerability.


“We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products,” Firsh writes.

Telegram boasts more than 100 million active users, according to the company’s website, and is popular in the Middle East and Eastern Europe.

Latest Podcasts