Hackers have been able to exploit a vulnerability in the Telegram messaging app’s desktop client to earn units of cryptocurrencies, according to Kaspersky Lab.
The security firm said the vulnerability has been actively exploited since March 2017 for the cryptocurrency mining functionality, including Monero (XMR/USD), Zcash (ZEC/USD) and others.
According to the research, the Telegram zero-day vulnerability was based on the RLO (right-to-left override) Unicode method, which can be used by malware creators to mislead users into downloading malicious files disguised, for example, as images.
“Attackers used a hidden Unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their computers,” Kaspersky said.
The Lab said it "reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products."
“We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, was used to deliver mining software – such infections have become a global trend that we have seen throughout the last year. Furthermore, we believe there were other ways to abuse this zero-day vulnerability,” said Alexey Firsh, Malware Analyst, Targeted Attacks Research, Kaspersky Lab.
Kaspersky says its analysis suggests the cybercriminals are of Russian origin, and the company has offered some tips to protect PCs against the attack.
Telegram is holding an ICO seeking to raise about $2 billion to create its own blockchain and cryptocurrency.