14 comments

[ 2.7 ms ] story [ 47.5 ms ] thread
Based on the description of the exploit:

> The exploit takes advantage of Telegram’s default setting to automatically download media files. The option can be disabled manually, but in that case, the payload could still be installed on the device if a user tapped the download button in the top left corner of the shared file.

I don't see why this exploit could not be exploited on iOS.

> If the user tried to play the “video,” Telegram displayed a message that it was unable to play it and suggested using an external player. The hackers disguised a malicious app as this external player.

However, it seems a disguised way to invite the user to install an external application... Is it from the Google Play Store? Or an external APK that the user has to download from a website, and install himself?

The exploit is that the video is actually an APK. So tapping the video -> "Telegram cannot play this. Open in an external app?" -> Afterwards prompts the user to install the APK.

As such, the user must give Telegram rights to install unknown APKs for it to work. The user will be prompted to enable this setting, but I guess they might think it's Telegram recommending a video player and actually go through with it.

Unless the user has a habit of installing APKs from Telegram, the workflow will probably be: tapping the video -> "Telegram cannot play this. Open in an external app?" -> "APK installation is restricted for this app (click 'settings')" -> "Install unknown apps (click 'allow from this source')" -> Go back -> Open the video again -> "Do you want to install this application?"

If you call the app "video player required for this movie" you may be able to convince users to give all of these permissions, but this isn't like the type confusion exploits on Windows where you can go from application to executing a program in one click.

This is absolutely a failure I Telegram for not recognising APK as malicious.

But Telegram does not have permission to install apps. For this to work the user must perform not one but two stupid things.

Hold on, does Android not require the application to include something in its manifest in order to be granted APK installation permission? Like how for every other permission request an app has to declare upfront that it requires/may request that permission?
It's not really Telegram that's installing the APK. It's just trying to open the file with your default APK file handler. Which is the system, and by default doesn't allow arbitrary APK installation.

Think using a browser to download an installer. You download the installer, then open the installer file, it's not the browser that's installing the software it's you opening the installer file.

Telegram shouldn't assume it's a video file because that makes it confusing for the user, but tbh if I want to send a friend an APK and they want to install it shouldn't that be allowed? Software freedom, control over your own device and all?

Telegram should not be tricked into downloading an apk as a video.

I assume you can send a normal apk to your friends and Telegram correctly warns the recipient when that happens.

But when it's a "video"...

So the way it works is: an app initiates an Open intent with the apk, the system handles this as an install, then the installer checks to see if the app initiating the intent has the "install unknown applications" permission. The problem is that the user can grant any application that special permission. It shouldn't work like that; an app should have to list that permission as one it accepts, which would avoid scenarios like this without interfering with user freedom (you can download the apk sent on Telegram, then open it in your file browser or something which allows itself to be given app installation permission).
Yeah this is not a zero day.
This isn’t a zero day nor does it really seem like Telegram’s fault, this is just how android itself works by design and this would likely affect any app that didn’t have specialized logic to recognize a malformed apk file. If an app tells android “open this file” it’s going to search for something that can read it, in the case of something with an apk manifest that becomes the system installer.

It’s still very unlikely to happen since android will warn you and you have to go through several dialogs to enable installing the apk.

This will be an unpopular opinion, and I’m not saying their argument is correct, or that the good doesn’t outweigh the risk - but this is exactly what Apple was talking about when they explained why they don’t want side loading.

(comment deleted)