EvilVideo Vulnerability: Zero-Day Threat Targets Telegram for Android
Researchers from ESET have identified a zero-day exploit targeting Telegram for Android. Dubbed EvilVideo vulnerability, the exploit surfaced on an underground forum on June 6, 2024. Hackers employed this vulnerability to disseminate malicious files through Telegram channels, groups, and chats, disguising them as multimedia files.
Specialists managed to acquire an exploit sample, facilitating its analysis and the reporting of the issue to Telegram on June 26. A patch rectifying the vulnerability was released on July 11, 2024, in versions 10.14.5 and above of Telegram.
Example of the exploit | Image: ESET
The vulnerability enabled attackers to send malicious files masquerading as video clips in unprotected versions of Telegram for Android (10.14.4 and earlier). The exploit was discovered on an underground forum where the seller demonstrated its operation in a public Telegram channel. This allowed researchers to obtain the malicious file and test it.
Analysis revealed that the exploit leveraged the capability to create malicious files appearing as multimedia previews. When attempting to play such a “video,” Telegram indicated it could not play the file and suggested using an external player. Upon clicking the “Open” button, users were prompted to install a malicious app disguised as a player.
Below is a video demonstration and explanation of the EvilVideo vulnerability
Telegram has patched the vulnerability in version 10.14.5. Now, the multimedia file preview correctly indicates that the file is an application, not a video.
The exploit was tested on the web version and the desktop client of Telegram for Windows but did not function. In both cases, the file was recognized as multimedia and posed no threat.
It was also discovered that the exploit’s seller offered an Android cryptor service that rendered malicious files undetectable by antivirus software. This service has been advertised on the same underground forum since January 2024.
Following the identification of the zero-day vulnerability and its reporting to Telegram, the issue was resolved. Users are advised to update the application to the latest version to protect against potential threats.
Update: This flaw is tracked as CVE-2024-7014.
