Telegram has patched a critical zero-day vulnerability in older versions of its Android app, identified as “EvilVideo.” This flaw allowed attackers to conceal malicious payloads within video files, potentially compromising user devices. The issue was discovered by ESET Research, who found an advertisement for the exploit on a Russian-language hacker forum on June 6, 2024.
The vulnerability affected Telegram versions 10.14.4 and older, enabling attackers to distribute harmful Android payloads through Telegram channels, groups, and private chats. ESET malware researcher Lukáš Štefanko explained that the exploit relied on Telegram’s API, which facilitated the creation of payloads that appeared as multimedia previews rather than binary attachments. Once shared in a conversation, the malicious payload was displayed as a 40-second video.
To exploit this flaw, users needed to interact with the malicious video. Upon clicking the video, Telegram would display a message stating that the video could not be played, suggesting the use of an external player. If users chose to “open” the file, they would be prompted to install a malicious app, falsely identified as an external player. The malicious app, named “xHamster Premium Mod,” required user approval for installation, thereby introducing malware to the device.
ESET quickly reported the vulnerability to Telegram, but the company initially did not respond. After a second contact attempt on July 5, Telegram addressed the issue with a server-side fix released on July 11, 2024, in version 10.14.5. Users are strongly advised to update their apps immediately to protect against potential exploits.
The exploit’s success relied heavily on user action, as Telegram’s default settings allow for the automatic download of media files. Users with this setting enabled would automatically download the malicious payload upon opening the affected conversation. However, if this setting was disabled, the user would need to manually download the file. The exploit did not affect Telegram’s web client or the Windows desktop app.
The identity of the threat actor behind the exploit remains unknown. However, the same actor is believed to offer an Android cryptor-as-a-service, marketed as “fully undetectable,” and has been available since January 11, 2024. ESET has released indicators of compromise (IoCs) for the exploit on their GitHub page. Users are advised to exercise caution and avoid downloading files from unknown or unsolicited sources to prevent such attacks.