James Thew - Fotolia
How does Telegram malware bypass end-to-end encryption?
A Telegram malware called Telegrab targets Telegram's desktop instant messaging service to collect and exfiltrate cache data. Expert Michael Cobb explains how Telegrab works.
Telegram malware known as Telegrab has targeted the encrypted messaging service, according to Cisco Talos. How does Telegrab get around Telegram's end-to-end encryption?
Telegram is a cloud-based, end-to-end encrypted instant messaging app for mobile and desktop, and it has servers spread worldwide for security and speed.
Telegram messages are encrypted and can self-destruct, much to the annoyance of Russia's Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor). Russia is trying to prohibit the app after the Britain-based Telegram Messenger Inc. refused to share technical details and hand over the encryption keys of its users to the Russian Federal Security Service for investigative purposes. Now, researchers at Cisco Talos have discovered Telegram malware, dubbed Telegrab, targeting mainly Russian-speaking users of the app.
The more dangerous second variant of the Telegram malware, Telegrab is being distributed via an .RAR self-extracting file. Once executed, Telegram searches for Chrome browser credentials and session cookies for the default user, as well as any .TXT files present on the system.
Telegrab also drops and executes additional executables to collect cache and encryption key files from the desktop version of the Telegram app, as well as login credentials for the video game storefront Steam. This data is then zipped and exfiltrated. An attacker can then access the victims' session contacts and previous chats by restoring cache and map files into an attacker-controlled Telegram desktop installation.
Although Talos believes there aren't currently any tools that can decrypt the exfiltrated cache information, there have been online discussions regarding developing a tool that could. The keys used to encrypt the Telegram desktop data files are stored in the map files, which are encrypted by the user's password, so a brute-force attack is also a possibility.
Telegrab doesn't actually exploit any vulnerabilities in the Telegram app, but it uses the fact that, unlike the mobile version of Telegram, the desktop version doesn't support the end-to-end encrypted messaging feature called Secret Chats.
The absence of Secret Chats is explained in Telegram's FAQs: "Secret chats require permanent storage on the device, something that Telegram Desktop and Telegram Web don't support at the moment. We may add this in the future. Currently, both the desktop and the web app load messages from the Cloud on startup and discard them when you quit. Since secret chats are not part of the cloud, this would kill all your secret chats each time you shut down your computer. Secret chats are also device-specific and disappear if you log out ..."
However, Telegram Desktop doesn't have the auto-logout feature turned on by default, so hackers who have access to a target's computer can hijack Telegram sessions via the program's cache unless the user has manually logged out.
After studying how the Telegram malware works, the researchers at Talos concluded that its creator is most likely a hacker who goes by the names Racoon Hacker and Eyenot. YouTube videos explaining how to use a target's stolen Telegram data to hijack their sessions have also been linked to the same hacker.
Telegrab is not a particularly sophisticated attack -- there is no persistence mechanism, for example -- but it still has the potential to put thousands of users' privacy at risk. The existence of the Telegrab malware highlights the importance of emphasizing and explaining an app's security features and ensuring that default settings don't put user data at risk.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)