ESET Research discovers EvilVideo: Telegram app for Android targeted by zero-day exploit sending malicious videos
Created: 2024-07-23 10:07:54
- ESET Research found an advertisement for a zero-day exploit that targets the Telegram for Android app, posted in an underground forum.
- ESET named the vulnerability targeted by the exploit “EvilVideo” and reported it to Telegram, which updated the app on July 11, 2024.
- EvilVideo allows attackers to send malicious payloads that appear as video files in the older Telegram app for Android.
- The exploit only works on Android Telegram versions 10.14.4 and older.
BRATISLAVA, KOŠICE — July 22, 2024 — ESET researchers discovered a zero-day exploit, which targets the Telegram app for Android, that appeared for sale for an unspecified price in an underground forum post from June 2024. Using the exploit to abuse a vulnerability that ESET named “EvilVideo,” attackers could share malicious Android payloads via Telegram channels, groups, and chats, and make them appear to be multimedia files.
“We found the exploit being advertised for sale on an underground forum. In the post, the seller shows screenshots and a video of testing the exploit in a public Telegram channel. We were able to identify the channel in question, with the exploit still available. That allowed us to get our hands on the payload and test it ourselves,” explains ESET researcher Lukáš Štefanko, who discovered the Telegram exploit.
ESET Research analysis of the exploit revealed that it works on Telegram versions 10.14.4 and older. The reason might be that the specific payload is most likely crafted using the Telegram API, since it allows developers to upload specially crafted multimedia files to Telegram chats or channels programmatically. The exploit seems to rely on the threat actor being able to create a payload that displays an Android app as a multimedia preview and not as a binary attachment. Once shared in chat, the malicious payload appears as a 30-second video.
By default, media files received via Telegram are set to download automatically. This means that users with this option enabled will automatically download the malicious payload once they open the conversation where it was shared. The default automatic download option can be disabled manually — in that case, the payload can still be downloaded by tapping the download button of the shared video.
If the user tries to play the “video,” Telegram displays a message that it is unable to play the video and suggests using an external player. However, if the user taps the Open button in the displayed message, they will be requested to install a malicious app disguised as the aforementioned external app.
After discovering the EvilVideo vulnerability on June 26, 2024, ESET followed coordinated disclosure policy and reported it to Telegram, but received no response at the time. We reported the vulnerability again on July 4, and that time, Telegram reached out to ESET the same day to confirm that its team was investigating EvilVideo. Telegam then fixed the issue, shipping version 10.14.5 on July 11. The vulnerability affected all versions of Telegram for Android up to 10.14.4, but has been updated as of version 10.14.5.
For more information about EvilVideo, read the blogpost “Cursed tapes: Exploiting the EvilVideo vulnerability in Telegram for Android” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.
Example of how the EvilVideo exploit appears on Telegram
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.