A critical zero-click vulnerability on Telegram for both Android and Linux allows remote code execution (RCE) through simple animated stickers. Importantly, no user interaction is required.

According to the researchers from the Trend Micro Zero Day Initiative (ZDI) who have identified this particular RCE vulnerability and given it a CVSS score of 9.8, the attack vector is pretty surprising – and simple.

Users are targeted via animated stickers, specially crafted media files that, once delivered, automatically trigger the execution of malicious code.

No confirmation or user interaction is needed, no click is required, users don’t have to open any files: simply receiving content is enough.

“Since this is a zero-click vulnerability, malicious code execution occurs automatically upon receipt of the file, without requiring any interaction or confirmation from the recipient,” said Italy’s National Cybersecurity Agency in an official alert.

“Exploiting this vulnerability could give an attacker control over the device and access to sensitive data, including messages, contacts, and active sessions related to the Telegram account.”

In other words, the flaw is especially cunning, since even when it essentially leaves the door of the targeted device wide open to the attacker, the user cannot see or even sense the danger.

The two impacted versions are Telegram for Android and Telegram Desktop for Linux. Importantly, no Indicators of Compromise have been released yet, which makes it much more difficult to detect whether systems may have already been targeted.

So far, Telegram Business accounts and organizations that use the platform for professional communications are recommended to limit receiving messages from new interlocutors and only allow new communications from contacts in their address book or Premium users.

Curious what others think about this story? Contribute your thoughts to the debate below.

For the general public, it’s more complicated since disabling automatic downloads is not sufficient: sticker parsing still occurs at the system level.

In the absence of a fix, users should consider temporarily removing the native application from Android and Linux systems to eliminate any risk of compromise.

But if using the platform is essential, they could try using the Telegram Web version via up-to-date browsers like Chrome, Firefox, or Safari.

That’s because the sandboxed architecture of modern browsers offers an additional layer of protection over direct code execution in the native client.

It always pays to be safe on the web, but Telegram users should be especially wary. This month, cybersecurity firm CYFIRMA said that Telegram has transformed from a chat application into an automated shopping platform that supports all sorts of malicious activities, including the sale of malware-as-a-service (MaaS) subscriptions, phishing kits, databases, and initial access credentials.

---

Unlock more exclusive Cybernews content on YouTube.