A recently identified macOS malware is compromising Telegram accounts by exploiting already active sessions, bypassing the need to crack passwords or two-factor authentication (2FA). This threat copies local session files, allowing unauthorized access on another device without triggering the usual login requirements.
How the Malware Operates
The malicious software targets the Telegram Desktop application by accessing the tdata directory in the user’s Library folder. It extracts session-related files and uploads them alongside other stolen data, including macOS Keychain information, browser credentials, and cryptocurrency wallet databases. This approach is characteristic of macOS-focused threats that target sensitive data.
According to SlowMist, whose report was shared with Cyber Security News, the malware can move an active Telegram session to another Mac, even with Telegram’s Two-Step Verification enabled. This is possible if the victim has not set up a distinct Telegram Desktop passcode.
Broader Implications and Risks
The malware’s impact extends beyond Telegram. It searches for and collects data from 16 different cryptocurrency wallet applications and examines Chromium browser profiles for wallet-extension details. By combining this information with passwords obtained through fake prompts, attackers can decrypt and misuse the data away from the original device.
This threat also replaces legitimate wallet applications with lookalike versions that redirect users to attacker-controlled web pages, making phishing attempts appear as part of a trusted application experience. Users are advised to remain vigilant about unexpected changes in wallet applications to prevent falling victim to these attacks.
Protective Measures and Recommendations
To mitigate the risk of infection, users should terminate active Telegram sessions from trusted devices and reset their login credentials. It’s crucial to update Telegram two-step verification passwords and Desktop passcodes, as well as rotate passwords stored in Keychain, browsers, and notes. Exposed wallets should be transferred to new recovery phrases on secure devices.
Users noticing altered wallet applications are encouraged to remove them, inspect their systems for persistence mechanisms, and only reinstall software from verified sources. Any recovery phrase entered into a suspicious application is considered compromised, necessitating further security measures.
Conclusion
This macOS malware underscores the importance of robust cybersecurity practices. By exploiting existing session data, it circumvents traditional security measures, posing a significant threat to personal and financial data. Staying informed and implementing strong security protocols can help mitigate the risks associated with this evolving threat landscape.
