Telegram App Flaw Exploited to Spread Malware Hidden in Videos

A zero-day security flaw in Telegram’s mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos.

The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11.

“Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files,” security researcher Lukáš Štefanko said in a report.

It’s believed that the payload is concocted using Telegram’s application programming interface (API), which allows for programmatic uploads of multimedia files to chats and channels. In doing so, it enables an attacker to camouflage a malicious APK file as a 30-second video.

Users who click on the video are displayed an actual warning message stating the video cannot be played and urges them to try playing it using an external player. Should they proceed with the step, they are subsequently asked to allow installation of the APK file through Telegram. The app in question is named “xHamster Premium Mod.”

“By default, media files received via Telegram are set to download automatically,” Štefanko said. “This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared.”

While this option can be disabled manually, the payload can still be downloaded by tapping the download button accompanying the supposed video. It’s worth noting that the attack does not work on Telegram clients for the web or the dedicated Windows app.

It’s currently not clear who is behind the exploit and how widely it was used in real-world attacks. The same actor, however, advertised in January 2024 a fully undetectable Android crypter (aka cryptor) that can reportedly bypass Google Play Protect.