Security researchers at ESET have uncovered a zero-day exploit targeting the Android version of the popular messaging app Telegram. The vulnerability, dubbed "EvilVideo," allowed attackers to disguise malicious payloads as innocent video files, potentially exposing millions of users to covert malware installation.
The exploit first came to light on June 6, 2024, when ESET researchers discovered an post on an underground forum offering the zero-day for sale at an undisclosed price.
According to the ESET report, the EvilVideo exploit took advantage of a flaw in how Telegram for Android handled certain types of file uploads. Attackers could craft malicious Android application packages (APKs) that the app would mistakenly display as 30-second video files when shared in chats, channels, or groups.
The deception didn't end there. If a user attempted to play the supposed video, Telegram would display a seemingly benign error message suggesting the use of an external player. However, tapping the "Open" button in this message would prompt the installation of the disguised malicious application.
One particularly troubling aspect of the exploit was its potential for silent delivery. Many Telegram users have their settings configured to automatically download media files, meaning the malicious payload could be transferred to a device as soon as the user opened a conversation containing the exploit.
The vulnerability affected all versions of Telegram for Android up to and including version 10.14.4. Users are strongly advised to update their Telegram app to version 10.14.5 or later, which contains the fix for this security flaw.
Lukas Stefanko, an ESET malware researcher involved in the discovery, emphasized the severity of the exploit:
"This vulnerability essentially allowed attackers to bypass Android's usual safeguards against installing apps from unknown sources. By making malware appear as a harmless video file, it significantly lowered users' guard against potential threats."
The vulnerability appeared to be specific to the Android version of Telegram. ESET researchers tested the exploit against Telegram's web and desktop clients, finding that these platforms correctly identified the malicious file as an APK, preventing the attack from succeeding.
The security firm was able to trace the seller of the exploit to previous activities on underground forums. The same actor had been advertising an Android "cryptor-as-a-service" since January 2024, claiming it could make malware fully undetectable by antivirus software.
ESET had reported the vulnerability to Telegram on June 26, 2024. After not receiving an immediate response, they reached out again on July 4. Telegram confirmed they were investigating the issue the same day, and the fix was rolled out a week later.
ESET shared a video demonstrating the Telegram zero-day exploit, which can be watched below.
Users of Telegram and other messaging apps are advised to:
- Keep their apps updated to the latest version
- Be cautious when opening files or links, even from trusted contacts
- Consider disabling automatic media downloads in chat apps
- Be wary of any prompts to install external applications or grant additional permissions
As mobile devices continue to be prime targets for cybercriminals, staying informed and practicing good security hygiene remains crucial for all users. The EvilVideo exploit may have been patched, but it likely won't be the last attempt by malicious actors to compromise popular communication platforms.