Threat actors have used a vulnerability in Telegram for Android to distribute malicious files disguised as videos, ESET warns.
The cybersecurity firm identified the security defect after finding on a cybercrime forum an advertisement for a zero-day exploit targeting Telegram for Android.
According to ESET, the exploit was likely developed using the Telegram API, allowing developers to upload crafted multimedia files to Telegram chats or channels programmatically.
The code exploits a vulnerability in Telegram for Android, which ESET calls EvilVideo, allowing attackers to deliver payloads containing APK files that are displayed as a multimedia preview.
By default, Telegram downloads multimedia files automatically, meaning that the malicious payload is automatically fetched on the user’s device.
When the user attempts to play the video, however, Telegram displays a legitimate message warning them that it is unable to play the file and suggesting that the video should be opened in an external player.
If the user selects the option to open the video in an external player, however, they are requested to install a malicious application posing as a video player. Telegram also asks the user to enable the installation of unknown applications.
“At this point, the malicious app in question has already been downloaded as the apparent video file, but with the .apk extension. Interestingly, it is the nature of the vulnerability that makes the shared file look like a video – the actual malicious app was not altered to pose as a multimedia file,” ESET explains.
The exploit was crafted specifically for Telegram for Android and would not work in other clients for the communication platform.
ESET’s analysis of the exploit led them to the discovery of the underlying EvilVideo vulnerability, which was reported to Telegram in late June and patched on July 11. The zero-day exploit, however, had been available for sale since early June.
On the same underground forum on which they were offering the exploit, the threat actor has been advertising an allegedly fully undetectable Android cryptor-as-a-service since January 2024.
EvilVideo affects Telegram for Android version 10.14.4 and earlier. Users are advised to update to version 10.14.5 of the application, which patches the bug, making the chat multimedia preview correctly display the payload as an application and not a video.
Related: Company Offering $30 Million for Android, iOS, Browser Zero-Day Exploits
Related: Signal Pours Cold Water on Zero-Day Exploit Rumors
Related: Attacks on Russian Government Orgs Exploit Recent Microsoft Office Zero-Day
Related: Telegram-Based Automated Scam Service Helps Fraudsters Make Millions
