ESET researchers have recently uncovered a zero-day exploit targeting Telegram for Android, referred to as EvilVideo, that enables the transmission of malicious Android payloads disguised as video files through Telegram channels, groups, and chats. This exploit, which was put up for sale in an underground forum post dated June 6th, 2024, poses a serious threat to users of the popular messaging platform.
Upon gaining access to a sample of the exploit, ESET researchers promptly analyzed it and reported their findings to Telegram on June 26th, 2024. Subsequently, Telegram took swift action to address the vulnerability, releasing a patch on July 11th, 2024, for versions 10.14.5 and newer, effectively nullifying the threat posed by the EvilVideo exploit.
The core functionality of the EvilVideo exploit lies in its ability to deceive users into believing that the malicious payloads being shared are genuine multimedia files. By manipulating the Telegram API, threat actors can craft tailored payloads that present themselves as harmless videos to unsuspecting users. This clever ruse opens the door for the installation of malicious apps masquerading as legitimate video content, ultimately compromising the security of affected devices.
To demonstrate the mechanics of the EvilVideo vulnerability, ESET researchers have prepared a video presentation, shedding light on the intricacies of the exploit and the potential risks it poses to Telegram users. The exploit is only effective on Android devices running Telegram versions 10.14.4 and earlier, underscoring the importance of promptly updating the app to the latest secure version.
In their analysis of the exploit, ESET researchers discovered that the nature of the vulnerability lies in the spoofing of multimedia previews, tricking users into unwittingly downloading and installing malicious applications disguised as video files. Although the exploit primarily targets Android devices, attempts to deploy it on Telegram Web and Desktop clients proved ineffective, highlighting the exploit’s platform-specific functionality.
Further investigations into the threat actor responsible for marketing the EvilVideo exploit revealed a consistent pattern of shady activities, including the promotion of an Android cryptor-as-a-service since January 11th, 2024. This underscores the sophisticated and organized nature of cyber threats faced by users in the digital landscape today.
Through a seamless coordination with Telegram’s security team, ESET researchers efficiently reported and remediated the EvilVideo vulnerability, thereby safeguarding users against potential harm. Telegram users are advised to update their applications to version 10.14.5 or later to ensure protection against malicious exploits such as EvilVideo.
In conclusion, the discovery of the EvilVideo exploit and its subsequent mitigation underscore the critical role of proactive threat intelligence in safeguarding users against emerging cyber threats. ESET researchers remain vigilant in their pursuit of identifying and neutralizing potential security risks, contributing to a safer digital ecosystem for all users.