Zero‑Click RCE in Telegram: How a Malicious Animated Sticker Can Hijack Your Phone

Security researchers disclosed a high‑severity vulnerability in Telegram that enables remote code execution without any user interaction. The flaw is triggered by sending a specially crafted animated sticker (e.g., a .webp file) and has been assigned a CVSS score of 9.8.

The bug, dubbed “Evil Sticker”, resides in Telegram’s handling of animated sticker files. A heap‑buffer overflow in the media‑processing code can be exploited when the malicious sticker is parsed, causing the app to execute attacker‑controlled instructions with the same privileges as Telegram; when combined with other privilege‑escalation bugs, it can lead to full device compromise.

Impact: All Android versions of Telegram prior to the fix are fully vulnerable; iOS is less affected due to stricter sandboxing but may still leak sensitive data. The vulnerability affects the latest pre‑patch releases on both Android and Linux clients.

The exploit requires only that the attacker’s sticker be delivered to the victim—no click or view is needed. If the victim is in the attacker’s contact list or a shared group, the payload can execute silently.

Telegram responded by releasing a patched version after the report. Users should update immediately via official app stores and enable automatic updates. Maintaining vigilance toward unknown media files remains good security practice.

The incident illustrates the growing danger of zero‑click attacks, the security risks introduced by complex media features, and supply‑chain concerns because the flaw may stem from third‑party media libraries. It serves as a reminder that instant‑messaging apps are critical infrastructure requiring timely patching.