Scammers can use the Telegram mobile messaging app to connect with a potential victim if they already have their phone number in their contact list.
In a blog post, Fidelis Cybersecurity researcher John Bambenek discusses the ease with which scammers can reach out to Telegram users:
“Here’s the deal: If a scammer signs up for Telegram and already has your phone number in their contact list, it will also notify them that you also have Telegram. So in addition to connecting you to your friends and contacts, the app will also connect scammers directly to you. Likewise, if you have scammers’ numbers in your contact list for some reason, you will get push notifications when they join Telegram…”
What’s going on here? How is this even possible?
Most of us know there are there “Do Not Call” rules that help prevent unwanted (spam) calls. These records reflect the complaints users have filed on phone number reputation sites. Mobile applications that block unwanted calls build their registries off this reputation data.
There’s just one catch. “Do Not Call” rules don’t apply to encrypted messaging apps. Those include Telegram, which has versions for Android and iOS.
That’s annoying, but surely there’s a way of blocking others from seeing you have Telegram installed, right?
You can block specific users. You can choose who can see when you were last active on Telegram. And you can choose whether everybody or just your existing contacts can join you to group chats. But you cannot block others from seeing if you have Telegram installed if they know your mobile number.
To make matters worse, Bambenek said it would be quite easy for someone to develop a method of determining whether a user has installed Telegram on their mobile device. Criminals could use such a service to target unsuspecting users. But so too could law enforcement and intelligence agencies looking to determine “risk factors” among the general population.
So what is to be done?
Users of encrypted messaging apps like Telegram, which has seen bugs both real and bogus, need to understand that these risks are out there. As such, they should be careful when approving new contacts, even if they’re a friend. Ideally, they should use an out-of-band means of verification.
They should also review the app’s default settings and check to see if they can prevent the app from capturing their address book.
Finally, they should be careful about answering calls from unknown users. A simple “hello” tells a scammer that their number is active. As such, they’ll find no reason to not spend months or even years trying to reconnect with that user. They just need a direct means of communication.
And with apps like Telegram, they’ve got that.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.