ESET researchers have uncovered a zero-day vulnerability named “EvilVideo” that targets Telegram for Android, enabling attackers to send malicious payloads disguised as video files.
On June 6, 2024, a zero-day exploit targeting Telegram for Android appeared for sale on an underground forum. This exploit, leveraging a vulnerability named “EvilVideo,” was tested by ESET researcher Lukas Stefanko, who confirmed it allows attackers to distribute malicious Android payloads through Telegram channels, groups, and chats, masquerading them as multimedia files.
ESET
The exploit seller showcased screenshots and a video demonstrating the exploit in a public Telegram channel. On June 26, 2024, ESET reported the vulnerability to Telegram. The team at Telegram responded by releasing a patch on July 11, 2024, in version 10.14.5 of the app.
EvilVideo breakdown
The EvilVideo exploit affects Telegram for Android versions 10.14.4 and earlier. It likely utilizes the Telegram API to craft malicious multimedia files that appear as video previews in chats. Upon receiving these files, users with automatic media download enabled would inadvertently download the malicious payload.
Once the user attempts to play the video, Telegram displays a message indicating it cannot play the file and suggests using an external player. If the user follows this suggestion, they are prompted to install a malicious app disguised as an external player. This app, detected as Android/Spy.SpyMax.T, is downloaded as an apparent video file with an .apk extension. The exploit’s nature misleads the Telegram preview into displaying the file as a video, even though it is an APK.
The exploit specifically targets Telegram for Android and has no impact on Telegram Web or Telegram Desktop clients. In ESET’s tests on the latter two, the payloads were treated as multimedia files, preventing the exploit from functioning.
While the exact identity of the threat actor remains unknown, ESET discovered that the same individual has been advertising an Android cryptor-as-a-service on the same forum since January 2024. This service claims to be fully undetectable, though ESET has not tested those claims.
Telegram’s resolution
Following the discovery of EvilVideo on June 26, 2024, ESET reported the issue to Telegram. Although initially unresponsive, Telegram’s team confirmed the investigation on July 4, 2024, and issued a fix with the release of version 10.14.5 on July 11, 2024. The updated version correctly identifies shared files as applications, preventing the exploit from deceiving users.
If you are using Telegram on Android, you are advised to upgrade to the latest version as soon as possible. If you’ve recently received video files leading to installing APKs via Telegram, consider yourself breached and immediately initiate a clean-up procedure. It is unknown for how long this zero-day has been available to the exploit seller and how many cybercriminals might have been leveraging it in attacks.