Poisoning the download cache in Telegram for Android

There is a meme scene in the movie “The Matrix” when Neo notices two completely identical black cats, after which his companions talk about a “glitch in the matrix,” which immediately results in complete chaos. A couple of weeks ago I experienced a similar deja vu feeling when I least expected it.

My friend Lesha Pavlov is building an Android application for the “Theoesthetics” podcast, and I volunteered to help as an alpha tester. He sends me a 6.6 MB file theoaesthetics.apk via Telegram, I load it into my Telegram for Android, try to install it, but the system settings don’t allow it. I save it in the “Downloads” folder, try to install it from there, but it doesn’t work again – probably my phone is too old. I report to Lyosha, he rebuilds the application and sends a new file theoaesthetics.apk with a size of 5.6 MB. Okay, I download it and try to install it using the same scheme, but I get the same result. And then an attentive eye notices that in the “Download” folder there is a file measuring not 5.6 MB, but 6.6 MB. Well, okay, apparently I tapped in the wrong place. I download the file again and in reality observe: I download a file of 5.6 MB in size, and in the folder there is a file of 6.6 MB in size. Okay, I'm a programmer, I'm clearing the cache of downloaded files, downloading the correct apk, which is already installed and working… But this is a very unpleasant bug, a glitch in the matrix.

I poked my Telegram with a stick, and it turned out that the problem is reproduced in 100% of cases, and the file that was first downloaded from the network into the bowels of Telegram for Android is always placed in the “Download” folder. I used the help of my colleague (thanks again, Lev!), who, at my request, sent me a new file, the same name as the file from another correspondence, and everything repeated itself. Moreover, if you open the file inside Telegram, then it opens exactly as expected, but if you save it to the “Download” folder (which on my phone is required by default to install an apk), then the wrong thing is downloaded. This is not just a bug, but a whole vulnerability!

Telegram applications are notorious for their default settings: they download everything from visited personal chats/conversations/channels, automatically play videos and gifs, and store everything for a long, long time. This is a security risk and there are examples of this. A couple of months ago, CertiK warned in general terms that automatic downloading in Telegram is dangerous, but Telegram people said that this was all untrue. After just a few days details of the RCE vulnerability became known. Cunning PR people from Telegram said that Python on Windows plus a vulnerable version of Telegram Desktop is allegedly used by less than 0.01% of their users (did they say this out of internal feelings or at the cost of violating user privacy?), but unfortunately they “forgot” to mention that the people with Python on their machines are often the developers with read/write access to invaluable private repositories.

When I install Telegram somewhere, the first thing I do is change the autoplay and autoload settings, because the first is simply annoying, and the second eats up traffic and disk. I won’t say right away what the default settings are in the Android application, but I suspect that at least in some scenarios (for example, in personal chats) files up to several MB in size are downloaded automatically when connected, say, via Wi-Fi. Yes, even if everything was disabled by default, then a number of people twist these completely standard Telegram settings with their hands and clearly want autoloading, which the Telegram developers consider a completely safe scenario. Yes, even if there was no autoloading at all, what’s wrong with downloading but not launching an apk? You can download it not even to the “Download” folder, but only to the internal storage of Telegram for Android. This can also happen as a result of accidentally tapping in the wrong place on the screen. In a word, nothing foreshadowed trouble, but…

It turns out that the cache of downloaded files of Telegram for Android can be “poisoned” by filling it with “bad” files, and this will implement the well-known “cache poisoning” attack. The most dangerous scenario I came up with is this. Suppose that for some reason it is acceptable for the victim to download apk files from Telegram: for example, the victim is involved in software development and testing (you can get a lot from hacking such a person!) or has trust in some source of apk files (say, to a channel with hacked applications run by her friend). The weakest point of my attack: if the attacker guesses the name of the file that the victim is supposed to download from this trusted source, then he can first poison the Telegram cache for Android on the victim’s device with his malicious apk. By the way, this can be done not only with apk files, but also with some important documents, also an interesting scenario. Finding a name can be difficult, but you can use carpet bombing tactics and “poison” many different names at once. The victim will have to enter a channel, public or private chat under the attacker's control, but this seems like an easy action to implement. You can send the malware to the victim in a personal chat, or drop a link to a group chat/channel with the malware, and if privacy settings allow, then simply unceremoniously add the victim there – he’ll probably take a look. After this, all you have to do is wait for the untrusted file to open after downloading a trusted one with the same name. The script is not 100%, no doubt, but you can’t call it fantastic either.

I googled it, and the problem turned out to be known: there are at least bugs once And twothere is even pull request from a third-party developer with a solution to the problem, but for now things are still there. More precisely, two bugs and a pull request concerned only the user experience when downloading from the same place, without considering downloading from different places and, accordingly, security. And here I jump out from an ambush, armed with paranoia. As Thomas Pynchon used to say, “Paranoia's the garlic in life's kitchen, right, you can never have too much.” The rabbit hole turned out to be really deep.

I did not find a similar problem in the Windows application or the web application. The internal folder with downloaded files of a Windows application has long aroused my suspicions; I once even checked a script there with the same file names in the same chat, found no problems and calmed down (as it turned out, in vain).

I wrote to security@telegram.org once, then again, then to the developer of the Telegram Android application at his personal email dkaraush@gmail.com, but alas, I did not receive any response at all for more than two weeks. My original complaint to the developers in English is here (sorry for my bad English). It is clear that solving problems takes time, and I was not at all averse to waiting, but I did not receive a word from either the person or the answering machine. Unpleasant. My blood is boiling, my hot heart is bursting out of my chest, I’m tired of being silent, I decided to make this story public in the name of the victory of all good over all bad. Good fellows (and red girls, without them) a lesson!

This is how useful it can be to test your friends' apps. Thank you, Lesha, your application began to be useful even before its release!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *