Telegram for Android: Downloaded Files Cache Poisoning

# Attack surface: Android application

Not affected: Windows application, Web application for mobile, Web application for desktop.

Other applications are not checked by me but they may be affected as well.

# Severity: ? [Optional, CVSS v3 rating]

## Description:

When some *bad* file "foo.bar" is downloaded into Telegram app internal storage once, it's saved to "Downloads" folder every time user tries to download to "Downloads" folder any *good* file named "foo.bar" from any source.

## Steps to reproduce:

[1] Download some file with any name (say foo.bar with text "A" inside) to internal Telegram storage either by "Auto-Download Media" option or by hand in Telegram for Android. No need to save it to "Downloads" folder but you may.

[2] Try to download any other file with the same name to "Downloads" folder of your phone (say it will be foo.bar with text "B" inside) from any source. It will download file from pt.1 (say it will be foo.bar with text "A" inside) instead of what you tried to download ("B").

Attack scenario is the following:

[1] Deliver a malicious file to a victim via Telegram. Let's say for example it's Android application MyApk.apk with malicious code. Send it to a victim in a private chat or just post it to some group or channel that is visited by a victim. For example, you may send a 100% legitimate link to a channel under your control where your file is posted. No previous interaction and social engineering required.

[2] One of the following happens:

a) Victim downloads file and installs it. Of course it's just a phishing attack and it's not interesting for us, I'm writing this text *not* to tell you about this scenario. For the following, let's say it *do not happens*.

b) Victim has "Auto-Download Media" option for this setup (like for private chats), so file downloads to victim's device automatically to some internal folder of Telegram for Android. If I recall correctly "Auto-Download Media" is on by default for some setups (like for private chats) but it can be enabled manually anyway. This seems like a pretty possible case. This case is most dangerous because it requires minimum user interaction.

c) Let's say that auto-downloading of malicious file didn't happened because of settings of victim's Telegram for Android. But victim can download a file manually anyway because it is seemingly safe action. What's wrong with downloading a file to internal Telegram folder if I don't launch it? This can be done by victim either deliberately or by accident. This case is weaker than previous because it requires some interaction with user but it's pretty possible anyway.

[3] When user wants to download legitimate file from his friend/colleague/trusted Telegram channel/chat with the same name MyApk.apk, he will not download that file but he will transfer our malicious file to his "Downloads" folder and then will install it. It's totally counter-intuitive that he will download not the file he clicked "Save to Downloads" on but old file from totally unrelated source! Yes, guessing the right name of the file may be hard but it's pretty possible. For example, if victim is involved in testing of Android application ABCDEF then it's pretty likely that he will at some point download file named ABCDEF.apk. To be sure we can send multiple files with different names so they all will be downloaded if victim has "Auto-Download Media" option for this setup (like for private chats). It's not possible to download legitimate files without cleaning the cache or without waiting until malicious file is flushed from the cache.

## Impact:

This vulnerability allows attacker to trick user into installing malicious applications instead of legitimately downloaded applications from trusted sources. Same goes for any other types of files like Excel tables, PDF and doc/docx documents, photos and videos (for example with some disturbing media) and so on.

This is a bug in the code, not a social engineering trick, there's applications without this bug, and this bug can be fixed relatively easy.

## Additional details:

Here's the ticket that discuss this problem from usability standpoint but without mentioning security:

https://github.com/DrKLO/Telegram/pull/1812

Related bugs, again without discussing security implications:

https://bugs.telegram.org/c/35162

https://bugs.telegram.org/c/32951

So I guess it's legitimate for me to vocal my security concerns to you. Vulnerable code is running on millions of devices right now and it's still not fixed upstream.

Ivan Zuboff

independent security researcher