Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Messaging Apps. Show all posts

Examining Telegram’s Encryption Flaws: Security Risks and Privacy Concerns

 

Telegram is often perceived as a secure messaging app, but this perception is flawed. Unlike WhatsApp, Telegram doesn’t have end-to-end encryption by default. While Secret Chats offer encryption, users must manually activate this feature, and it doesn’t apply to group chats or desktop versions. Additionally, Telegram’s encryption is proprietary and not open to public audits, making it hard to verify its security. This leaves room for potential vulnerabilities, including access by admins, authorities, and hackers. While Telegram is widely used for its innovative features like chat organization and community management, its encryption methods raise red flags among security experts. The platform encrypts data in transit, preventing message interception. 

However, the majority of conversations on Telegram are not end-to-end encrypted, meaning administrators could access them if required by law enforcement. This poses risks for users discussing sensitive topics or sharing confidential information. Moreover, Telegram’s encryption methods are seen as complex and opaque. For example, the optional Secret Chats use a proprietary encryption algorithm, which is difficult to verify and may include hidden vulnerabilities. Cryptography professionals have criticized this, noting that unless an encryption system is open-source, it cannot be thoroughly vetted for weaknesses or backdoors. One of the significant drawbacks of Telegram’s security is its inapplicability to group chats. Group conversations cannot be encrypted, which increases the risk of unauthorized access to user messages. 

For those needing strong privacy for sensitive communications, this is a serious limitation. Given that other popular messaging platforms like Signal and WhatsApp offer end-to-end encryption by default, users of Telegram may want to reconsider using the app for private or sensitive discussions. Signal, for instance, uses the highly respected Signal Protocol, which has been audited and proven to be robust. Telegram, by comparison, leaves users with limited protection due to its closed-source encryption. Despite these concerns, Telegram remains a popular app due to its versatile features, making it more than just a messaging platform. Telegram’s organizational tools, community management features, and ability to broadcast information have made it a favorite among certain groups, especially those sharing tech news or international updates. 

However, for those who prioritize security, Telegram’s limited encryption may not be sufficient, making apps like Signal or even WhatsApp a safer option for encrypted messaging. While Telegram has many innovative features, its encryption limitations leave it far from being the most secure messaging app.

The Dual Nature of Telegram: From Protest Tool to Platform for Criminal Activity

 

Telegram, a messaging app co-founded by Pavel Durov in 2013, has become one of the world’s largest communication platforms, with over 900 million users. The app’s dual nature has recently put it in the spotlight after Durov was arrested in Paris on August 24, reportedly at the request of a special unit within France’s Interior Ministry that investigates crimes against minors. This incident has sparked renewed scrutiny of Telegram’s role in global communications. 

Initially, Telegram was created in response to the Russian government’s crackdown on pro-democracy protests in 2011 and 2012. The app’s primary selling points—encryption of communications and user anonymity—made it an attractive tool for activists worldwide. Telegram gained notoriety during the 2020 Belarus protests against a rigged presidential election, where activists used it to coordinate actions while evading government surveillance. Similarly, during Iran’s 2018 anti-government protests, Telegram was crucial for organizing and sharing uncensored information, attracting an estimated 40 million users in the country. The app’s ability to facilitate communication under oppressive regimes highlighted its potential as a tool for free expression and resistance. 

However, Telegram’s lack of moderation and security features has also made it a haven for criminal activity. Its encryption and anonymity appeal to drug dealers, pedophiles, and those trading illegal goods. A 2019 BBC investigation found that criminals were using Telegram to distribute child sexual abuse material and stolen credit card information, often embedding links to illegal content within public comments on YouTube videos. Telegram’s relaxed policies have made it easier for users with malicious intent to exploit the platform. Additionally, Telegram has become a powerful tool for disinformation, particularly in Central and Eastern Europe. A 2023 investigative report identified the app as the largest platform for disinformation in the region, with German-language channels playing a significant role in influencing extremist opinions. 

Since Russia’s invasion of Ukraine in 2022, the Kremlin and affiliated groups have increasingly used Telegram for propaganda, recruitment, and fundraising. Pro-Russian channels experienced a surge in subscribers, turning Telegram into a key communication tool for the conflict. The app’s dual role has drawn global attention, especially as Durov’s case unfolds in France. Telegram defended its stance by arguing that holding an owner responsible for all platform activities is “absurd.” 

Yet, this controversy highlights the broader challenge of balancing privacy and free speech with the need to combat illegal and harmful activities online. As authorities grapple with these issues, the future of Telegram remains uncertain, balancing its potential for good against the misuse by those with nefarious intentions.

EU Proposes New Law to Allow Bulk Scanning of Chat Messages

 

The European elections have ended, and the European football tournament is in full flow; why not allow bulk searches of people's private communications, including encrypted ones? Activists around Europe are outraged by the proposed European Union legislation. 

The EU governments' vote on Thursday in a significant Permanent Representatives Committee meeting would not have been the final obstacle to the legislation that aims to identify child sexual abuse material (CSAM). At the last minute, the contentious question was taken off the agenda. 

However, if the EU Council approves the Chat Control regulation later rather than sooner, experts believe it will be enacted towards the end of the difficult political process. Thus, the activists have asked Europeans to take action and keep up the pressure.

EU Council deaf to criticism

Actually, a regulation requiring chat services like Facebook Messenger and WhatsApp to sift through users' private chats in order to look for grooming and CSAM was first put out in 2022. 

Needless to say, privacy experts denounced it, with cryptography professor Matthew Green stating that the document described "the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR.” 

“Let me be clear what that means: to detect “grooming” is not simply searching for known CSAM. It isn’t using AI to detect new CSAM, which is also on the table. It’s running algorithms reading your actual text messages to figure out what you’re saying, at scale,” stated Green. 

However, the EU has not backed down, and the draft law is currently going through the system. To be more specific, the proposed law would establish a "upload moderation" system to analyse all digital messages, including shared images, videos, and links.

The document is rather wild. Consider end-to-end encryption: on the one hand, the proposed legislation states that it is vital, but it also warns that encrypted messaging platforms may "inadvertently become secure zones where child sexual abuse material can be shared or disseminated." 

The method appears to involve scanning message content before encrypting it using apps such as WhatsApp, Messenger, or Signal. That sounds unconvincing, and it most likely is. 

Even if the regulation is approved by EU countries, additional problems may arise once the general public becomes aware of what is at stake. According to a study conducted last year by the European Digital Rights group, 66% of young people in the EU oppose the idea of having their private messages scanned.

Hackers Attack Telegram With DDoS After Targeting Microsoft and X

 

Anonymous Sudan has launched a distributed denial-of-service (DDoS) attack against Telegram in response to the messaging platform's decision to deactivate its principal account, according to threat intelligence firm SOCRadar. 

Anonymous Sudan, claiming to be a hacktivist group motivated by political and religious concerns, carried out DDoS attacks against organisations in Australia, Denmark, France, Germany, India, Israel, Sweden, and the United Kingdom. 

The group has been active since the beginning of the year, and on January 18, it launched its Telegram channel, proclaiming its intention to undertake cyberattacks against any entity that opposes Sudan. The group's operations began with the targeting of many Swedish websites. 

However, in June, Microsoft 365, Outlook, Microsoft Teams, OneDrive for Business, and SharePoint Online were the targets of a string of disruptive DDoS attacks launched by Anonymous Sudan, which quickly gained attention. Cloud computing platform Azure from Microsoft was also impacted. Microsoft, which records the group as Storm-1359, confirmed DDoS attacks were the cause of the interruption after Anonymous Sudan boasted about the strike on their Telegram channel. 

With the goal of forcing Elon Musk into establishing the Starlink service in Sudan, the organisation launched a disruptive DDoS attack against X (previously Twitter) in late August. The hacktivists' primary Telegram channel has been moved temporarily as a result of the attack on Telegram, which had a different objective than the group's usual targets but yet failed to accomplish its goal. 

Uncertainty around the ban on Telegram has led the threat intelligence company to speculate that it may be connected to recent attacks on X or the use of bot accounts. Current DDoS and defacement operations are being carried out by the Anonymous Sudan group, which may not be based in Sudan and may actually have connections to the Russian hacking collective KillNet, according to previous reports from SOCRadar and Truesec. 

The group doesn't request the support of pro-Islamic organisations, only communicates with Russian hackers, and mostly posts in English and Russian rather than Arabic. The campaigns that have been noticed also have no connection to political issues regarding Sudan. 

The group also doesn't seem to be associated with the original Anonymous Sudan hacktivists, who first showed up in Sudan in 2019, or with Anonymous, the decentralised, anti-political hacktivist movement.

Can Messaging Apps Locate You? Here's All You Need to Know

 

If you're worried about cybersecurity, you might question whether texting apps can follow you. Yes, but it's not as big of a deal as you believe. Understanding how location monitoring works on major messaging applications, as well as the risks associated with it, is critical. Many social media apps require location information in order to streamline the services they provide. Road directions, food delivery, and other features that require access to your location to serve you better are examples of these services. So messaging applications can easily and precisely follow you, and they collect this information from you in a variety of ways.

One of the most typical methods is to simply ask you to enable your location and grant the app permission to access it. The GPS technology allows the programme to access your latitude and longitude coordinates, pinpointing your location, after you grant it permission. For example, several free messaging programmes, including your standard SMS app, iMessage, and WhatsApp, provide a live-location function that allows you to share your current location if necessary.

Wi-Fi and Bluetooth signals from your phone can also provide location information. Apps that monitor the signal strength of adjacent Wi-Fi routers and Bluetooth devices can track your whereabouts. However, this technology is less dependable than GPS tracking and can only provide an estimated location.

Some photo-sharing social networking apps, such as Instagram and Snapchat, leverage location-based functionality on your device, such as geotagging photos or providing more accurate search results. Then there's Twitter, which uses algorithms to serve your feed items based on location.

Another culprit is your IP address. When a device connects to the internet, it is assigned a unique IP address. This address may expose your general location, such as your city or area. Location history (a record of where your phone, i.e. you, has been) can be stored on the servers of apps like Snapchat.

Most messaging apps provide thorough information about their privacy policies and how they track your location and keep your data. So, rather than skipping them without reading the material, you should go into them. If you are uncomfortable with their practices, you can restrict their access through your device settings. However, doing so may result in inconsistencies and inaccuracies with the app's location-based functionality. The most serious hazards linked with location tracking by messaging media apps are invasions of privacy and data breaches.

How to Prevent Messaging Apps from Tracking You

Using airplane mode is the best approach to prevent your location from being tracked. However, doing so would disable incoming calls as well as your data connection. Fortunately, there are less restrictive methods for preventing messaging apps from seeing your location data.

You can always disable your location. Most phones feature a button in the quick panel for this. However, if yours does not, you can do so using a Samsung Galaxy phone:
  • Go to your phone's Settings.
  • Head over to Apps.
  • Select the app you want to turn on/off privacy access.  
  • Tap on Permissions, and then Location.
  • Tap Deny, and WhatsApp won't have access to your location anymore.
VPNs, or Virtual Private Networks: They protect your privacy by routing your internet traffic through a remote server operated by the VPN operator. A VPN uses a variety of approaches to prevent tracking. First, it switches your IP address to that of the VPN server in another location, which is usually far away. Any programme that attempts to trace your location using your IP address will be unable to do so because it has been changed to that of the VPN server.

Premium VPNs also encrypt your data, disguising the data transmitted between your device and the VPN server. Any third party attempting to intercept it will find it illegible as a result. They frequently feature firewalls and ad blockers that they can employ to avoid any problems.

Utilize Private Browsers: Some web browsers include firewalls and ad blockers that restrict third-party cookies and delete your browsing history when you close the app. So, if you use these private browsers to access social media, you can be confident that your location is hidden from prying eyes.

One must also study the privacy policies of these apps and take steps to limit the location sharing to trusted contacts only.

Transparent Tribe Hackers Disseminate CapraRAT via Trojanized Messaging Apps

 

Transparent Tribe, an alleged Pakistan-aligned advanced persistent threat (APT) group, has been interconnected to an ongoing cyber espionage campaign targeting Indian and Pakistani Android users with a backdoor called CapraRAT. 

"Transparent Tribe distributed the Android CapraRAT backdoor via trojanized secure messaging and calling apps branded as MeetsApp and MeetUp," ESET said in a report shared with The Hacker News.

It is estimated that up to 150 victims, most of whom have military or political affiliations, were targeted, with the malware (com.meetup.app) available for download from fake websites posing as official distribution centers for these apps. The targets are believed to have been lured by a honeytrap romance scam in which the threat actor approaches the victims via another platform and persuades them to install malware-laced apps under the guise of "secure" messaging and calling.

The targets are believed to have been lured by a honeytrap romance scam in which the threat actor approaches the victims via another platform and persuades them to install malware-laced apps under the guise of "secure" messaging and calling.

The apps, however, come pre-installed with CapraRAT, a modified version of the open-source AndroRAT that Trend Micro first documented in February 2022 and that exhibits overlap with a Windows malware known as CrimsonRAT.

The backdoor includes a plethora of features that allow it to capture screenshots and photos, record phone calls and surrounding audio, and exfiltrate sensitive data. It can also make calls, send SMS messages, and receive download commands. However, in sequence to use the app's features, users must first create an account by linking their phone numbers and completing an SMS verification step.

As stated by the Slovak cybersecurity firm, the campaign is narrowly targeted and there is no evidence that the apps were available on the Google Play Store.

Transparent Tribe, also known as APT36, Operation C-Major, and Mythic Leopard, was recently linked to another wave of attacks against Indian government organizations using malicious versions of the Kavach two-factor authentication solution.

The research comes just weeks after cybersecurity firm ThreatMon detailed a spear-phishing campaign by SideCopy actors targeting Indian government entities with the goal of deploying an updated version of the ReverseRAT backdoor.

WhatsApp: Instant Messaging App Services Restored After a 2 Hour Outage

The instant messaging app WhatsApp is restored after a two-hour-long outage on Tuesday. WhatsApp, with around a billion active users, was alerted about the global outage when hundreds of thousands of its online users reported the disruption in their messaging app. 

Reportedly, the instant messaging platform went down at 12:30 PM IST, on Tuesday. The users reported they were unable to send messages or make calls through the app, which was earlier thought of as a mere network connectivity issue. The outage was not limited to the smartphone users of the app, since users of WhatsApp web were also facing the same consequences of the disruption. 

As per a report by Downdetector, an online platform providing real-time stats and information regarding online web services, more than 11,000 online users had reported the outage, while in the United Kingdom the count was 68,000. While in Singapore, about 19,000 users reported disruption in the app since 07:50 GMT. 

Downdetector gathers status updates from various sources, including user-submitted errors on its platform, to keep track of outages. There may have been many users who were impacted by the outage. 

Additionally, WaBetaInfo, an online portal tracking WhatsApp services claimed that the issue is indeed from the server’s side and thus cannot be resolved from the online user’s end. 

Soon after acknowledging the issue, WhatsApp’s parent company Meta said that their engineers are working on the outage issue and will solve it as soon as possible. Following this, Meta Spokesperson even apologized to the users for the inconvenience.  

“We are aware that some people are currently having trouble sending messages and we are working to restore WhatsApp for everyone as quickly as possible,” says Meta Company Spokesperson. While the reason behind the outage is still not revealed by the parent company. 

Considering the popularity of the messaging app which has increasingly emerged as an important communication tool between users, businesses, and governments globally, over 100 billion messages are exchanged daily through WhatsApp as of 2020. This recent outage may have affected a large number of users, including government officials and telecom service providers.

The 'Interaction-Less' Flaws in Messaging Apps Allowed Hackers to Eavesdrop

 

Last week, at the Black Hat security conference in Las Vegas, Google’s Project Zero researcher, Natalie Silvanovich presented her findings of remote eavesdropping bugs in communication apps like Signal, Google Duo, and Facebook Messenger, as well as popular international platforms JioChat and Viettel Mocha. 

Natalie was concerned with the surge of bugs in the popular apps. The vulnerability in the Facebook Messenger app could have allowed hackers to listen in on audio from a victim's device. The flaws in Viettel Mocha and JioChat gave advanced access to both audio and video. The Signal flaw exposed audio only and the Google Duo flaw gave video access, but only for a few seconds. These few seconds were enough to record a few frames or grab screenshots.

In early 2019, a bug in group FaceTime calls of iPhone would have allowed threat actors to activate the microphone, and even the camera, of the iPhone they were calling and eavesdrop before the recipient did anything at all. The implications were so severe that Apple blocked the Group FaceTime feature entirely until the company patched the bug. 

“When I heard about that group Face Time bug, I thought it was a unique bug that would never occur again, but that turned out not to be true. This is something we didn’t know about before, but it’s important now for the people who make communication apps to be aware. You're making a promise to your users that you’re not going to suddenly start transmitting audio or video of them at any time, and it’s your burden to make sure that your application lives up to that,” Silvanovich explained.

Silvanovich has kept a close eye on the “interaction-less” flaws, vulnerabilities that don't require their targets to click a malicious link, download an attachment, enter a password in the wrong place, or engage in any way. 

“The idea that you could find a bug where the impact is, you can cause a call to be answered without any interaction—that's surprising. I went on a bit of a tear and tried to find these vulnerabilities in other applications. And I ended up finding quite a few,” says Silvanovich. 

The developers of messaging apps were extremely responsive about patching the flaws within days or a few weeks of her disclosures. All of the bugs have been patched, but the surge of security loopholes in messaging apps emphasizes how common these flaws can be and the need for developers to take them seriously.