Talos Intelligence, Cisco’s security research division, discovered a new type of malware that steals encryption keys and cache data from the Telegram messenger on the desktop. The news comes after both the Russian and Iranian governments have started to block the Telegram messenger in their own countries.
“Telegrab” Malware
The Talos researchers first saw the malware, which it named "Telegrab," on April 4, 2018, with a second variant emerging on April 10. The first version stole browser credentials and cookies, as well as all the text files it could find on the system. The second variant was upgraded to steal Telegram’s cache files and encryption keys, as well as login credentials for the Steam website.
The security researchers said that the malware is primarily targeting Russian speakers, and it purposefully tries to avoid IP addresses that use anonymization services.
The malware exploits a design flaw of the desktop version of the Telegram application that doesn’t support end-to-end encrypted chats at all (the mobile apps only support it optionally in the "Secret Chat" mode). Because of that, it also lacks the ability to auto-logout, which means the malware can gain access to Telegram’s stored files on the desktop.
Impact
The Talos team warned that encrypted messengers with bad default settings, such as the desktop version of Telegram, can put users’ privacy and security in jeopardy. The researchers also said that the malware isn’t even that sophisticated, but that it is efficient. For instance, it doesn’t have persistence on the user’s machine, so it will disappear on reboot.
Even so, the malware’s makers have been able to steal thousands of credentials in less than a month. These credentials can then also be used by the attackers to log into other online services, if people re-used their passwords (which of course is not an uncommon thing).
Until Telegram implements its own protection mechanisms against this type of malware stealing its users' data, you may have to rely on anti-virus programs that can detect this type of malware to block it.
