Background: I run a Telegram channel with thousands of subscribers that posts anti-government political stuff, and I’m based in a country where Telegram is banned by the government.
This morning at 7:49am, when I pick up my Android phone, I got a notification that a Telegram stranger pseudonymed “Edsel Joan” (I never knew this user before) sent me a photo on Telegram at ~5 hours ago. What was suspicious is that the photo failed to render and the notification only showed “[Photo]”. (Usually, if the photo succeeds to render, a photo preview is displayed, so I found this suspicious.)
When I saw this, I clicked on the notification to open the Telegram chat, but found that the original sender had deleted the chat from both parties sometime after they sent the photo, presumably to destroy evidence. (This is a Telegram feature; therefore, I can’t find the original sender who did this to me)
I suspected this was some kind of 0-day attack. So I used adb and the Mobile Verification Toolkit to scan my phone. The tool reported that it detected no IOCs matches. However, I saw logs of many system files and processes been touched or modified at around 1:58am in the results file timeline.csv, which is about the time I received the strange Telegram message.
Can anyone suggest whether I have been indeed infected by spyware or is this just paranoia that stemmed from a random spam message? What are my next steps?