Cyber attackers exploited a zero-day vulnerability in the Telegram messaging app for months to install malware and hijack computing resources to mine cryptocurrency, researchers have found.

The discovery further underlines the importance of end-user security awareness training and the fact that even though apps offer encryption to ensure privacy, that in itself is no guarantee that the apps are safe.

The attackers, believed to be Russian-speaking, used a zero-day vulnerability in the Windows client of the Telegram Desktop app to deliver multipurpose malware, which could be used either to gain remote access to the target computer to install other malware or mine cryptocurrency, according to researchers at Kaspersky Lab.

The researchers found that the vulnerability had been exploited since March 2017 to mine cryptocurrencies such as monero, which has become increasingly popular with attackers since bitcoin has begun to drop in value and because it is more difficult to track and trace.

News of the Telegram exploit comes just days after attackers were found to be using a compromised browser plugin to distribute cryptocurrency mining software through thousands of websites, including prominent public sector websites. This type of attack, known as cryptojacking, has gained popularity as cyber criminals have turned their attention to making money through cryptocurrencies.

According to Nadav Avital, security researcher at Imperva, cryptocurrency mining malware is becoming an appealing method of attack because:

The technical entry level is low and to run such malware requires only a few lines of code.

The money goes directly to the attackers, with no need of a middle man.

Depending on the cryptocurrency, the transactions are anonymous and difficult to trace.

The Kaspersky Lab researchers found that the Telegram zero-day vulnerability was based on the RLO (right-to-left override) Unicode method, which is used for coding languages that are written from right to left, like Arabic or Hebrew. However, it is also used by malware creators to mislead users into downloading malicious files disguised as images, for example.

Attackers used a hidden Unicode character in the file name that reversed the order of the characters, thus renaming the file itself. As a result, users downloaded hidden malware which was then installed on their computers.

Leigh-Anne Galloway, cyber security resilience lead at Positive.com, said the attack campaign is relatively straightforward, taking advantage of people failing to check before they click.

“A growing number of people are using these kinds of messaging apps to share information and the fact that they are encrypted gives us confidence – but it isn't always safe,” she said. “The age-old advice stands – whatever application you are using, don’t click on links or download attachments without knowing who they are from. Social engineering is the oldest trick in the book, but it works time and again because that advice isn’t heeded.”

Kaspersky Lab reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products.

“The popularity of instant messenger services is incredibly high, and it is extremely important that developers provide proper protection for their users so that they don’t become easy targets for criminals,” said Alexey Firsh, malware analyst, targeted attacks research at Kaspersky Lab.

“We have found several scenarios of this zero-day exploitation that, besides general malware and spyware, were used to deliver mining software. Such infections have become a global trend that we have seen throughout the last year. Also, we believe there were other ways to abuse this zero-day vulnerability.”

To protect against this type of attack, Kaspersky Lab recommends that users: