It uses weak security settings, which are set by default in the desktop version of the messenger.
Specialists of the research organization Cisco Talos Intelligence discovered amalicious program that steals cache files and encryption keys from the Telegram desktop client. Representatives of Talos said that this allows the virus to access their contacts and correspondence.
According to security experts, the program almost always chooses its victims among Russian-speaking users. However, in its code there are restrictions on the attack of accounts, access to which is carried out through anonymizers with IP-addresses from Russia.
The detected code does not exploit the Telegram vulnerability and hacks it. He uses the absence of secret chats in the desktop version: due to this feature, which is not a bug, in the PC version of Telegram, the automatic completion of the session is disabled by default. In this case, manually terminating the session essentially updates the encryption key and closes access to the files.
Representatives of Talos admitted that the creators of a malicious program can have tools for decrypting the messenger’s cache files. They added that until recently members of the organization were not aware of any utilities for accessing the contents of such files.
In Talos, the danger of the program was assessed as “insignificant”, especially in comparison with the networks of bots used by cybercriminals. At the same time, the organization urged developers of encrypted messengers to pay attention to this case: “Unclearly explained functions or bad standard settings can compromise private data.”