In a concerning development, a zero-day vulnerability in Telegram for Android, dubbed ‘EvilVideo,’ has been discovered, allowing attackers to send malicious Android APK files disguised as harmless video files. This exploit, which was first advertised on a Russian-speaking hacking forum, has raised significant security alarms within the cybersecurity community.
Discovery and Disclosure of the Telegram’s ‘EvilVideo’ Exploit
The vulnerability was initially made public by a threat actor named ‘Ancryno,’ who began selling the exploit on June 6, 2024. The flaw was identified in Telegram versions v10.14.4 and older. This allowed attackers to manipulate the Telegram API to send malicious APKs, making them appear as video files to unsuspecting users.
ESET researchers, who came across a proof-of-concept (PoC) demonstration on a public Telegram channel, quickly identified the flaw. The exploit was confirmed to work in Telegram versions up to v10.14.4. ESET’s Lukas Stefanko responsibly disclosed the vulnerability to Telegram on June 26, 2024, and followed up on July 4, 2024, urging them to address the issue promptly.
Telegram’s Response and Patch
Telegram responded to ESET’s report on July 4, initiating an investigation. Within a week, on July 11, 2024, Telegram released version 10.14.5, which patched the ‘EvilVideo’ vulnerability. This rapid response prevented further exploitation of the flaw, which had a window of at least five weeks for potential attacks.
How the ‘EvilVideo’ Exploit Worked
The ‘EvilVideo’ flaw specifically targeted Telegram for Android. It enabled attackers to craft APK files that, when sent via Telegram, appeared as video files. Here’s how the exploit functioned:
- Creation of Malicious Payloads: The exploit utilized the Telegram API to generate messages that looked like 30-second video clips.
- Automatic Downloads: By default, Telegram for Android automatically downloads media files. Therefore, once a user opened a conversation, the malicious payload was downloaded to their device.
- Triggering the Download: For users with auto-download disabled, merely tapping on the video preview initiated the download.
- Execution of Payloads: When users attempted to play the video, Telegram prompted them to use an external player, potentially causing them to click “Open” and execute the malicious payload. The victim also needed to enable installation of apps from unknown sources in their device settings, allowing the APK to install.
While the exploit was marketed as a “one-click” attack, it required several steps and specific user settings, significantly reducing the likelihood of a successful attack.
Impact and Technical Details
ESET’s testing confirmed that the exploit was ineffective on Telegram’s web client and Telegram Desktop, as the payload was treated as an MP4 video file. The patch in version 10.14.5 ensures that Telegram now correctly displays APK files in previews, eliminating the deceptive appearance of video files.
ESET also identified a command and control (C2) server, ‘infinityhackscharan.ddns[.]net,’ used by the payloads. This server provided critical insights into the exploit’s operation and its distribution mechanisms.
How to Protect Yourself
If you have received video files via Telegram that prompt you to open them with an external app, it is crucial to conduct a filesystem scan using a reputable mobile security suite. The files are typically stored in:
- Internal Storage:
/storage/emulated/0/Telegram/Telegram Video/ - External Storage:
/storage/<SD Card ID>/Telegram/Telegram Video/
Additionally, Telegram has advised users to ensure their app is updated to the latest version, which now includes protections against this exploit.
Telegram’s Statement and Future Precautions
A Telegram spokesperson provided BleepingComputer with the following statement:
“This exploit is not a vulnerability in Telegram. It would have required users to open the video, adjust Android safety settings, and then manually install a suspicious-looking ‘media app’. We received a report about this exploit on July 5th, and a server-side fix was deployed on July 9th to protect users on all versions of Telegram.”
Telegram’s quick patching and proactive measures have helped mitigate the risk, but users are advised to stay vigilant and update their apps regularly.
Conclusion
The ‘EvilVideo’ zero-day exploit highlights the ongoing challenges in mobile security, especially with messaging apps. While Telegram acted swiftly to mitigate the vulnerability, users must remain cautious and keep their software up to date to avoid falling victim to such sophisticated attacks.
By staying informed and proactive, users can protect themselves against evolving cyber threats, ensuring their personal data and devices remain secure.
More News: Tech News
