Cybersecurity researchers at ESET discovered a zero-day vulnerability that targeted the Telegram for Android app and sent malicious files disguised as videos through chats.
The zero-day exploit, dubbed “EvilVideo,” allowed hackers to share Android payloads via Telegram channels, groups, and chats, and make them appear to be multimedia files. This exploit targeted only Android Telegram versions 10.14.4 and older.
Lukas Stefanko, an ESET researcher, discovered the Telegram exploit in June 2024 on a secret online forum, where it was being sold for an unspecified price.
โWe found the exploit being advertised for sale on an underground forum. In the post, the seller shows screenshots and a video of testing the exploit in a public Telegram channel. We were able to identify the channel in question, with the exploit still available. That allowed us to get our hands on the payload and test it ourselves,โ ESET said in a press release statement.
According to the ESET Research analysis, the exploit was likely crafted using Telegramโs Application Programming Interface (API) since it allows developers to upload specially crafted multimedia files to Telegram chats or channels programmatically.
The malware is displayed as a multimedia preview on the Android app and not as a binary attachment.
Once shared in the chat, the malicious payload appears as a harmless 30-second video. By default, media files received via Telegram are downloaded automatically.
This means if a user has this setting enabled, it will automatically download the malicious payload as soon as they open the chat where it was shared.
While the default automatic download option can be disabled manually, Telegram accounts are still vulnerable as the payload can be downloaded by tapping the download button of the shared video.
When the user attempts to play the โvideoโ, Telegram displays a legitimate message that it is unable to play the video and suggests that the video should be opened using an external player. However, if the user taps the โOpenโ button in the displayed message, they will be asked to install a malicious app posing as a video player. It also requests the user to enable the installation of unknown apps.
โAt this point, the malicious app in question has already been downloaded as the apparent video file, but with the .apk extension. Interestingly, it is the nature of the vulnerability that makes the shared file look like a video โ the actual malicious app was not altered to pose as a multimedia file,โ ESET added.
ESET discovered the EvilVideo vulnerability on June 26, 2024, and reported the issue immediately to Telegram.
However, it wasnโt until July 4 that Telegram confirmed the issue and began investigating it. The instant messaging platform then fixed the issue and rolled out the new version of the app, 10.14.5, on July 11, 2024.
EvilVideo affects Telegram for Android version 10.14.4 and earlier. Users are recommended to update to version 10.14.5 of the app, which fixes the bug and displays APK files correctly in the chat multimedia preview as an app and not a video.
โThis exploit is not a vulnerability in Telegram. It would have required users to open the video, adjust Android safety settings, and then manually install a suspicious-looking “media app”,โ a Telegram spokesperson said in a statement.zero-day
โWe received a report about this exploit on July 5th and a server-side fix was deployed on July 9th to protect users on all versions of Telegram.โ