If Telegram is installed on your phone, then there are security and privacy risks you need to understand. But a new report has just warned of an even more dangerous threat to your phone from the messaging app, and one that is getting worse.
There’s nothing quite like Telegram. A messaging platform you might use with your friends and colleagues, but which is also notorious for its use by criminals and terrorists, and which has almost become an easy access version of the dark web.
That is certainly the findings of a new report this week from Guardio. This messaging app,” they warn, “has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims’ data. Free samples, tutorials, kits, even hackers-for-hire—everything needed to construct a complete end-to-end malicious campaign.”
Guardio researched the availability of so-called phishing kits on Telegram, used to attack phones and PCs. The phishing ecosystem, they say, has been democratized. “There was a time when kits, infrastructure, and know-how, were available only on invite-only forums in the Dark web, hidden behind Tor Onion networks. Today, they are readily and publicly available on Telegram—accessible via a simple search.”
If you ever wonder why your email is increasingly peppered by fraudulent mails purporting to be from your bank or service provider, then this is why.
Telegram has certainly hit the mainstream. One of the world’s five most downloaded apps, its press team says, with some 700 million active monthly users. “Telegram is committed to protecting user privacy and human rights such as freedom of speech and assembly. It has played a prominent role in pro-democracy movements around the world, including in Iran, Russia, Belarus, Myanmar and Hong Kong.”
Contrast that with its darker side. Telegram has become the everyday storefront for build-your-own attacks that are then launched at the kind of people using the messaging platform as if it’s just a normal application.
Telegram always had a healthy fan base, albeit somewhat outside the mainstream. But then WhatsApp had some Facebook difficulties in early 2021, and Telegram installs soared. For a while afterwards, it seemed everyone was jumping onboard.
Putting its dark web credentials to one side, the irony with Telegram is that it talks up its security and privacy credentials, but it’s not actually as secure as WhatsApp. There’s no default end-to-end encryption, your message content is protected by policy, not technology. And in a world where Google Messages and even Facebook Messenger now end-to-end encrypt by default, this anomaly is hard to look past.
But while that might be a threat to your privacy, it’s not a threat to your phone. Malware for hire or purchase, on the other hand, most certainly is. Mobile phishing is soaring, given the glued-to-hand nature of our devices, the increase in remote and hybrid working, and—critically—that phishing is just easier on mobiles.
As Lookout explains, “mobile is a vulnerable blind spot—the mobile device presents a fundamentally different environment from a laptop or desktop. They can give a significant leg up to attackers who use the smaller screens, simplified interfaces, and hidden URLs to their advantage. This, coupled with our natural tendency to immediately tap on anything that comes up on our smartphone or tablet screen, gives phishing attacks a higher chance of success.”
And so to Telegram, Guardio describes the ease by which “one can stumble upon… public channels, groups, and bots bustling with thousands of participants… showcasing various products and services, tips and tricks, and knowledge you once had to dig deep into the dark web even to get close to” as startling.
For example, they easily found “a phishing campaign targeting millions of Facebook business accounts… This campaign utilized Telegram channels to offer hijacked social accounts of victims targeted by phishing and malware. On sale are credentials and session cookies—many of them fresh out of the oven, hacked and stolen just hours or even minutes ago, and already available for sale.”
Kaspersky reported on this same Telegram issue last year, warning that “common users are not the only ones who have recognized the messaging app’s handy features—cybercrooks have already made it a branch of the dark web… Phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, ‘What type of personal data do you prefer?’”
Guardio’s report walks through the ease by which would-be cyber criminals can set a phishing webpage, arrange its hosting, and even send out emails that link to their scam. “Our efforts soon start to bear fruit,” they reported. “Victims fall for the trap, clicking on the link and some even proceed to log into the fraudulent bank site—our scampage. Once they do this, their bank accounts become compromised.”
It’s not just criminality on Telegram. It’s known for housing the darkest of content, such as Hamas terror channels in the Middle East. There were reports that the platform has banned access to this content, albeit that didn’t seem to be the case.
In reality, the platform has been infamous almost since its beginning for shielding illicit content from authorities, playing the anti-establishment role. What has changed is its campaign for legitimacy, which has included waging a social media battle with WhatsApp over which platform is safer and more secure.
So, let’s be very clear. It doesn’t matter if WhatsApp is owned by Meta. The content you send is end-to-end encrypted and you can trust its security and stability. If you have concerns that there may be metadata tracks detailing your location and contact lists, perhaps even who you have messaged and when, then use Signal.
As Kaspersky warned last year, “Telegram’s developers position their product as safe and protected. But in practice that’s not entirely true. The reality is that Telegram has a number of quirks that make protecting your messages a little tricky… some rather dubious features in both the messenger’s interface and general logic make it less secure than is commonly believed.”
In reality, Telegram fails to offer a compelling messaging option given it still does not offer the now common default end-to-end encryption. And with its previously more hidden, darker side now so close to the surface, my advice is to steer clear. You can ignore the witty X account and banter with other platforms. This isn’t a game.