Telegram Session Hijacking: Anatomy of a Sophisticated Account Takeover Attack
A new wave of sophisticated attacks targeting Telegram users has emerged, combining social engineering with session hijacking to achieve complete account takeover. This article provides a technical deep-dive into the attack methodology, Telegram’s session management vulnerabilities, and defensive countermeasures.
Executive Summary
Attackers are exploiting Telegram’s session management system through a multi-stage attack:
- Social engineering via fake business meeting invitations
- Trojanized Zoom installer deployment
- Telegram session data exfiltration
- Exploitation of Telegram’s 24-hour security delay for permanent account takeover
The attack is particularly dangerous because it exploits legitimate security features designed to protect users, turning them into weapons against the victim.
Attack Flow Overview
sequenceDiagram
participant A as Attacker
participant V as Victim
participant T as Telegram Server
participant M as Malware
A->>V: 1. Business meeting proposal
A->>V: 2. Sends fake Zoom link
V->>M: 3. Downloads & installs "Zoom"
M->>M: 4. Executes Trojan payload
M->>A: 5. Exfiltrates session data (tdata)
A->>T: 6. Establishes session with stolen auth key
Note over A,T: 7. Both sessions now active
A->>T: 8. Terminates victim's session
V->>T: 9. Victim logs back in (new session)
Note over V,T: 10. New session has restricted privileges
Note over A,T: 11. After 24h, attacker gains full control
A->>T: 12. Removes victim's phone number
Stage 1: Social Engineering - The Initial Contact
The attack begins with a carefully crafted social engineering approach. The attacker initiates contact through Telegram, typically posing as:
- A potential business partner or investor
- A recruiter from a well-known company
- A collaborator on a cryptocurrency or tech project
- A journalist seeking an interview
The pretext is always a video meeting that requires Zoom installation.
Why Zoom?
Zoom is the perfect cover for several reasons:
- Universal acceptance: Most professionals are familiar with Zoom
- Large installer size: A 100MB+ installer doesn’t raise suspicion
- Elevated permissions: Users expect Zoom to request system access
- Urgency factor: “The meeting is in 30 minutes” pressures quick installation
Red Flags to Watch
- Unsolicited business proposals from unknown contacts
- Pressure to install software before a meeting
- Download links that don’t point to official domains (zoom.us)
- Links hosted on file-sharing services or shortened URLs
Stage 2: Malware Deployment
The Trojanized Installer
The fake Zoom installer is typically a sophisticated piece of malware that:
- Displays a legitimate-looking installation UI - Often extracted from actual Zoom installers
- May install real Zoom - To avoid immediate suspicion
- Deploys the malicious payload - Running silently in the background
Technical Implementation
The malware targets Telegram’s session storage locations:
| Platform | Session Data Location |
|---|---|
| Windows | %APPDATA%\Telegram Desktop\tdata\ |
| macOS | ~/Library/Application Support/Telegram Desktop/tdata/ |
| Linux | ~/.local/share/TelegramDesktop/tdata/ |
The critical files within tdata include:
tdata/
├── D877F783D5D3EF8C/ # Auth key directory (name varies)
│ ├── map0 # Session mapping
│ └── map1 # Backup mapping
├── key_datas # Encrypted key data
├── settings0 # User settings
└── settings1 # Backup settings
Session Data Structure
Telegram’s session authentication relies on:
- Auth Key: A 256-bit key established during initial authentication
- Server Salt: Used for message encryption
- Session ID: Identifies the current session
- Sequence Number: Prevents replay attacks
When the malware exfiltrates the tdata folder, it captures all the cryptographic material needed to impersonate the victim’s session.
Stage 3: Session Hijacking
How Telegram Sessions Work
Telegram uses MTProto protocol for client-server communication. Each device maintains a persistent auth key that:
- Is generated during first login
- Never expires unless explicitly terminated
- Provides full account access
- Is stored locally on the device
graph LR
A[Client] -->|Auth Key| B[Telegram Server]
B -->|Session Validated| C[Full Account Access]
D[Attacker with Stolen Auth Key] -->|Same Auth Key| B
B -->|Session Validated| E[Full Account Access]
The Hijacking Process
Once the attacker possesses the victim’s session data:
- Session Cloning: The attacker imports the stolen
tdatainto their Telegram client - Authentication Bypass: The stolen auth key grants immediate access without SMS verification
- Concurrent Access: Both victim and attacker can access the account simultaneously
At this point, from Telegram’s perspective, both connections appear to be the same authenticated device.
Stage 4: Account Takeover
The 24-Hour Security Delay
Telegram implements a critical security feature: new sessions have restricted privileges for 24 hours.
A newly logged-in session cannot:
- Terminate sessions that are older than 24 hours
- Change two-factor authentication settings
- Transfer account ownership
- Delete the account
This feature is designed to protect users if their SMS is compromised. However, it becomes a weapon in this attack.
Exploiting the Security Delay
timeline
title Attack Timeline
0h : Attacker gains session access
: Terminates victim's original session
0h+ : Victim logs back in
: New session created (restricted)
24h : Attacker's session gains full privileges
: Victim's session still restricted
24h+ : Attacker removes victim's phone number
: Complete account takeover
The Critical Sequence:
-
Attacker terminates victim’s session: Using the stolen (older) session, the attacker can terminate what appears to be “another device”
-
Victim re-authenticates: When the victim notices they’ve been logged out and logs back in, a new session is created
-
Privilege asymmetry: The attacker’s session (using the original auth key) is now the “older” session, while the victim’s new session is restricted
-
Waiting game: After 24 hours, the attacker’s session gains full privileges while the victim remains restricted
-
Final takeover: The attacker removes the victim’s phone number, changes 2FA settings, and locks out the victim permanently
Technical Deep-Dive: Why This Works
Telegram’s Session Model
Telegram’s security model assumes that:
- Session data theft requires physical device access
- Users will notice unauthorized access quickly
- The 24-hour delay provides time to recover
This attack breaks these assumptions by:
- Using malware for remote session theft
- Timing the session termination strategically
- Exploiting the 24-hour rule against the victim
The Auth Key Problem
Unlike session tokens that can be rotated, Telegram’s auth keys are:
- Long-lived (permanent until logout)
- Not tied to device fingerprints
- Portable across installations
- Not invalidated by password changes
This means that even if a user changes their password or enables 2FA after the initial compromise, the attacker retains access through the stolen auth key.
Indicators of Compromise
Signs You May Be Targeted
- Session notifications: “New login from unknown device” messages
- Unexpected logouts: Being logged out without initiating it
- Message anomalies: Messages marked as read that you didn’t read
- Active sessions: Unknown devices in Settings > Devices
- Contact reports: Friends receiving messages you didn’t send
Checking Your Active Sessions
Navigate to: Settings > Privacy and Security > Active Sessions
Look for:
- Unknown device names or locations
- Sessions from unexpected IP addresses
- Multiple sessions showing the same device
Defensive Countermeasures
Immediate Actions if Compromised
-
Terminate ALL other sessions immediately:
- Go to Settings > Privacy and Security > Active Sessions
- Click “Terminate All Other Sessions”
-
Enable Two-Factor Authentication:
- Settings > Privacy and Security > Two-Step Verification
- Use a strong, unique password
-
Check linked devices and bots:
- Remove any unauthorized linked devices
- Revoke access for suspicious bots
-
Change your phone number (if available):
- This invalidates the attacker’s session
Preventive Measures
| Measure | Implementation | Effectiveness |
|---|---|---|
| 2FA | Enable with strong password | High |
| Session monitoring | Regular checks of active sessions | Medium |
| Software hygiene | Only install from official sources | High |
| Link verification | Always verify download URLs | High |
| Passcode lock | Enable app passcode | Medium |
Technical Hardening
For high-risk users (journalists, activists, crypto holders):
- Use Telegram’s secret chats for sensitive conversations
- Enable login notifications in Privacy settings
- Consider using a dedicated device for Telegram
- Regular session audits - check active sessions weekly
- Use a password manager for 2FA passwords
The Broader Implications
Why Telegram is Targeted
Telegram has become a prime target due to:
- Cryptocurrency communities: Large amounts of value transacted via Telegram
- Business communications: Companies increasingly use Telegram for operations
- Activist networks: Political organizers rely on Telegram
- Single point of failure: One compromised account can cascade
Similar Attack Vectors
This attack pattern can be adapted for:
- Discord (token theft)
- WhatsApp Web (QR code hijacking)
- Signal Desktop (similar session model)
- Browser-based services (cookie theft)
Conclusion
This attack represents a sophisticated evolution of social engineering combined with technical exploitation. By understanding Telegram’s session management system, attackers have found a way to weaponize security features against users.
The key takeaways:
- Never install software from untrusted sources, especially under time pressure
- Enable two-factor authentication on all messaging platforms
- Regularly audit your active sessions
- Be suspicious of unsolicited meeting invitations
- Verify download links before installing any software
The best defense is awareness. Share this information with colleagues and friends who might be targets.