The Article Tells The Story of:
- Telegram Exploit: ‘EvilVideo’ disguised malicious APKs as video files in Telegram for Android (v10.14.4 and older).
- Fix Released: Telegram patched the issue in version 10.14.5 on July 11, 2024, after ESET’s disclosure.
- User Advice: Update the app, avoid suspicious files, and scan devices for malware.
In a concerning development, a zero-day vulnerability in Telegram for Android, dubbed ‘EvilVideo,’ has been discovered, allowing attackers to send malicious Android APK files disguised as harmless video files. This exploit, which was first advertised on a Russian-speaking hacking forum, has raised significant security alarms within the cybersecurity community.
Discovery and Disclosure of the Telegram’s ‘EvilVideo’ Exploit
The vulnerability was initially made public by a threat actor named ‘Ancryno,’ who began selling the exploit on June 6, 2024. The flaw was identified in Telegram versions v10.14.4 and older. This allowed attackers to manipulate the Telegram API to send malicious APKs, making them appear as video files to unsuspecting users.
ESET researchers, who came across a proof-of-concept (PoC) demonstration on a public Telegram channel, quickly identified the flaw. The exploit was confirmed to work in Telegram versions up to v10.14.4. ESET’s Lukas Stefanko responsibly disclosed the vulnerability to Telegram on June 26, 2024, and followed up on July 4, 2024, urging them to address the issue promptly.
Telegram’s Response and Patch
On July 4, Telegram reacted to ESET’s report by starting an investigation. In the following week, on July 11, 2024, Telegram published the version 10.14.5 that fixed the ‘EvilVideo’ vulnerability. Thus, a window of at least five weeks for the potential exploitation of the flaw was over.
How the ‘EvilVideo’ Exploit Worked
The ‘EvilVideo’ vulnerability specifically targeted Telegram for Android. It allowed attackers to create APK files that, when transmitted via Telegram, presented themselves as video files. Here’s how the exploit worked:
Creation of Malicious Payloads: The exploit used the Telegram API to create messages that seemed like 30-second video clips.
Automatic Downloads: Telegram for Android automatically downloads media files by default. So once a user opened a conversation, the malicious payload downloaded to their device.
Downloading Trigger: For users with auto-download disabled, the download was initiated by merely tapping on the video preview.
Execution of Payloads: When the users tried to play the video, Telegram asked them to use an external player. This would have led them to click “Open” and execute the malicious payload. The victim also had to allow installation of apps from unknown sources in their device settings, which enabled the APK to install.
Although the exploit was marketed as a “one-click” attack, it required several steps and specific user settings, thus reducing the chances of an attack being successful.
Impact and Technical Details
ESET’s testing confirmed that the exploit was ineffective on Telegram’s web client and Telegram Desktop, as the payload was treated as an MP4 video file. The patch in version 10.14.5 ensures that Telegram now correctly displays APK files in previews, eliminating the deceptive appearance of video files.
ESET also detected a C2 server, ‘infinityhackscharan.ddns[.]net,’ used by the payloads. This server shed light on the way the exploit functioned and its distribution mechanisms.
How to Protect Yourself
If you have downloaded video files via Telegram that ask you to open them with an external app, you should perform a filesystem scan with a reputable mobile security suite. The files are usually found in:
- Internal Storage: /storage/emulated/0/Telegram/Telegram Video/
- External Storage: /storage//Telegram/Telegram Video/
The company also advised users to update their app to the latest version, which already contains protection against this vulnerability.
Statement and Future Precautions by Telegram
A spokesperson from Telegram reached out to BleepingComputer with the following statement:
“This exploit is not a weakness in Telegram. It would have required users to start the video, change android safety settings, and after that manually install a fishy-looking ‘media application’. We became aware about this exploit on July 5th, and immediately deployed a server-side countermeasure on July 9th to protect users running all versions of Telegram”
Telegram’s rapid patching and proactive measures have so far helped to mitigate the risk, but users are cautioned to remain vigilant and update their apps regularly.
Conclusion
The ‘EvilVideo’ zero-day exploit is a testament to the ongoing challenges in mobile security, especially with messaging apps. While Telegram acted quickly to mitigate the vulnerability, users must remain cautious and keep their software up to date to avoid falling victim to such sophisticated attacks.
By staying informed and proactive, users can protect themselves against evolving cyber threats, ensuring their personal data and devices remain secure.
More News: Tech News
