Skip to content

Telegram zero-day flaw exploited to spread malicious APKs

  • by
  • 3 min read

A zero-day exploit in Telegram, dubbed ‘EvilVideo,’ has been discovered that enables attackers to distribute malicious Android payloads through Telegram channels, groups, and individual chats, disguising them as seemingly innocuous multimedia files.

The exploit was advertised on an underground forum, where the seller-provided screenshots and a video demonstrating its functionality on a public Telegram channel.

Upon investigation, it was found that the exploit affects Telegram versions 10.14.4 and older. The malicious payloads are crafted using the Telegram API, enabling the attackers to upload files that appear as multimedia previews instead of binary attachments. When shared in a chat, the payload masquerades as a 30-second video.

“Our analysis of the exploit revealed that it works on Telegram versions 10.14.4 and older. We speculate that the specific payload is most likely crafted using the Telegram API since it allows developers to upload specifically crafted multimedia files to Telegram chats or channels programmatically,” said researchers.

The exploit is being sold on an underground forum. | Source: WeLiveSecurity

By default, Telegram is set to automatically download media files, meaning users with this setting enabled will inadvertently download the malicious payload upon opening the conversation.

If a user attempts to play the disguised ‘video,’ Telegram displays a message suggesting using an external player. When the user taps the ‘Open’ button, they are prompted to install a malicious app disguised as the recommended player. This installation process enables unknown apps, effectively compromising the device with the malicious payload.

The exploit leverages a vulnerability in the upload process, making the file appear as a video while maintaining its .apk extension. Researchers were able to verify and inspect the exploit but could not replicate it entirely.

While the EvilVideo exploit specifically targets Telegram for Android, researchers tested its behaviour on other Telegram clients. Both Telegram Web and Telegram Desktop for Windows are immune to the exploit. In these clients, the malicious file is treated as a multimedia file, preventing the exploit from functioning as intended.

The same threat actor sells Cryptor-as-a-service for Android. | Source: WeLiveSecurity

Researchers were unable to identify the specific threat actor behind this notorious exploit. However, they discovered that the same actor has been offering a cryptor-as-a-service for Android, which has been advertised as fully undetectable (FUD) on the same underground forum since January 11, 2024.

Telegram released a version 10.14.5 update on July 11 to patch and mitigate the issue. Cybersecurity experts have urged users to update this latest version to protect themselves.

Last month, a massive data dump of 151 million unique emails collected from various Telegram channels was integrated into the Have I Been Pwned (HIBP).

In the News: Crowdstrike outage becomes an opportunity for hackers globally

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>