Exploiting the EvilVideo vulnerability on Telegram for Android

ESET researchers uncovered a significant zero-day exploit affecting Telegram for Android, designated as EvilVideo, which surfaced in an underground forum on June 26, 2024. This vulnerability enables hackers to send malicious Android payloads disguised as video files, targeting users of Telegram versions 10.14.4 and older. Analysis of the exploit confirmed that the malicious payloads could be transmitted via various Telegram functionalities such as channels, groups, and direct chats. ESET promptly reported the discovery to Telegram, which responded by releasing a patch in version 10.14.5 on July 11, 2024.

The flaw’s mechanics were detailed through the examination of the exploit found in the underground forum’s advertisement, where the seller showcased its functionality through screenshots and video demonstrations in a public Telegram channel. ESET’s tests confirmed that the exploit relied on manipulating the Telegram API to present malicious applications as video files, compelling user interaction. Once the user receives the file, it is set to download automatically in their mobile device, which increases the likelihood of inadvertent installation of the malicious payload.

When the user attempts to play the disguised video, Telegram presents a standard error message informing them that the video cannot be played, alongside a prompt to open the file with an external player. Selecting this option redirects users to install the malicious application masquerading as the suggested player. The malicious file, which possesses an .apk extension, obscured its true nature under the guise of a video, showcasing the exploit’s deceptive effectiveness. The investigation determined that although the payloads were intricately crafted, the upload process exploited Telegram’s media handling capabilities rather than altering the malicious app itself to appear as a video.

Attempts to test the exploit on Telegram clients other than Android yielded no success, highlighting that the vulnerability was uniquely tied to the Android platform. In both Telegram Web and Desktop clients, the exploit failed as attempts to execute the payload triggered error messages indicating a need to use the respective application. This affirmed that the exploit’s efficacy was limited to specific mobile vulnerabilities pertaining to Android platforms.

The threat actor behind the EvilVideo exploit remains largely unidentified. However, ESET’s research brought to light additional shady operations linked to the seller, including the advertisement of an Android cryptor service purportedly capable of producing undetectable payloads. This highlights a broader pattern of increasing sophistication among cybercriminals leveraging Telegram as a medium for delivering malware.

Following established protocols, ESET initiated a coordinated disclosure by reporting the vulnerability to Telegram but faced an initial lack of communication regarding the matter. Upon persistent reporting, Telegram confirmed their investigation into the exploit, which led to the expedited release of the patch eliminating the vulnerability. Post-fix assessments demonstrated that malicious files are now correctly identified and labeled within the app, reinforcing user safety.

In summary, the EvilVideo vulnerability exemplifies the growing threat landscape surrounding mobile messaging applications, wherein malicious entities exploit inherent software weaknesses to target unsuspecting users. ESET’s proactive research and subsequent responsible disclosure underscore the continuous need for vigilance and rapid response to emerging cybersecurity threats, particularly in dynamic environments such as instant messaging services.

ESET further disseminates their findings through various channels, offering detailed analysis and comprehensive lists of indicators of compromise (IoCs) pertinent to the discovered exploit, thus facilitating broader awareness and defense mechanisms within the cybersecurity community.