Telegram recently addressed a critical zero-day vulnerability discovered in older versions of its Android chat and media-sharing application. The flaw, dubbed “EvilVideo” by researchers from ESET Research, allows threat actors to hide malicious payloads within video files and share them via Telegram channels, groups, and chats.
The exploit, which affects Telegram versions 10.14.4 and older, enables attackers to craft Android payloads that appear as multimedia files when shared in chat. Upon opening the video file, a 30-second video is displayed, prompting users to click on it to play. If users proceed to open the file, a message appears instructing them to install a malicious app disguised as an external player. Approval of the installation request results in malware being deployed on the user’s device.
ESET malware researcher Lukas Stefanko highlighted that the exploit leverages the Telegram API, allowing threat actors to upload specially crafted multimedia files programmatically. Although the exploit only worked on Android devices and not on the Telegram Web or Desktop clients for Windows, it posed a serious threat to users.
Upon discovering the vulnerability, ESET promptly reported it to Telegram, which released patches in versions 10.14.5 and above to address the issue. Despite initial non-response from Telegram, the organization eventually acknowledged the flaw and implemented the necessary fixes. Users are advised to update their Telegram apps immediately to prevent potential compromise.
The exploit required user interaction to execute successfully, as recipients had to click on the malicious video file to trigger the installation of the external player. While this extra step may have reduced the likelihood of successful attacks, threat actors had a five-week window to exploit the vulnerability before the patch was released.
Furthermore, researchers identified additional questionable services offered by the exploit’s sellers, including an Android cryptor-as-a-service advertised as “fully undetectable.” This shady service, which has been available since January, underscores the risks associated with malicious activities on the Telegram platform.
As a precautionary measure, ESET has shared indicators of compromise (IoCs) for the exploit on its GitHub page and advised mobile users to avoid downloading any files from unknown sources, especially when unsolicited. This incident serves as a reminder of the ongoing challenges posed by cyber threats and the importance of swift response and mitigation measures.
In conclusion, the timely detection and remediation of the EvilVideo exploit by Telegram underscore the critical role that proactive cybersecurity measures play in safeguarding users against evolving threats in the digital landscape. By staying vigilant and adopting best practices for online security, users can mitigate the risks associated with malicious activities on messaging platforms like Telegram.