A Telegram for Android zero-day vulnerability dubbed ‘EvilVideo’ allowed attackers to ship malicious Android APK payloads disguised as video information.
A risk actor named ‘Ancryno’ first started promoting the Telegram zero-day exploit on June 6, 2024, in a put up on the Russian-speaking XSS hacking discussion board, stating the flaw existed in Telegram v10.14.4 and older.
ESET researchers found the flaw after a PoC demonstration was shared on a public Telegram channel, permitting them to acquire the malicious payload.
Supply: ESET
ESET confirmed the exploit labored in Telegram v10.14.4 and older and named it ‘EvilVideo.’ ESET researcher Lukas Stefanko responsibly disclosed the flaw to Telegram on June 26 and once more on July 4, 2024.
Telegram responded on July 4, stating they have been investigating the report after which patched the vulnerability in model 10.14.5, launched on July 11, 2024.
This implies the risk actors had at the least 5 weeks to take advantage of the zero-day earlier than it was patched.
Whereas it’s unclear if the flaw was actively exploited in assaults, ESET shared a command and management server (C2) utilized by the payloads at ‘infinityhackscharan.ddns[.]web.’
BleepingComputer discovered two malicious APK information utilizing that C2 on VirusTotal [1, 2] that fake to be Avast Antivirus or an ‘xHamster Premium Mod.’
Telegram zero-day exploit
The EvilVideo zero-day flaw solely labored on Telegram for Android and allowed attackers to create specifically crafted APK information that, when despatched to different customers on Telegram, seem as embedded movies.
ESET believes that the exploit makes use of the Telegram API to programmatically create a message that seems to point out a 30-second video.
Supply: ESET
On its default setting, the Telegram app on Android robotically downloads media information, so channel members obtain the payload on their gadget as soon as they open the dialog.
For customers who’ve disabled the auto-download, a single faucet on the video preview is sufficient to provoke the file obtain.
When customers try to play the faux video, Telegram suggests utilizing an exterior participant, which can trigger recipients to faucet the “Open” button and execute the payload.
Supply: ESET
Subsequent, an extra step is required: the sufferer should allow the set up of unknown apps from the gadget settings, permitting the malicious APK file to put in on the gadget.
Supply: ESET
Although the risk actor claims the exploit is “one-click,” the truth that it requires a number of clicks, steps, and particular settings for a malicious payload to be executed on a sufferer’s gadget considerably reduces the danger of a profitable assault.
ESET examined the exploit on Telegram’s internet consumer and Telegram Desktop and located that it would not work there as a result of the payload is handled as an MP4 video file.
Telegram’s repair in model 10.14.5 now shows the APK file appropriately within the preview, so recipients can now not be deceived by what would seem as video information.
In case you lately acquired video information that requested an exterior app to play by way of Telegram, carry out a filesystem scan utilizing a cellular security suite to find and take away the payloads out of your gadget.
Usually, Telegram video information are saved in ‘/storage/emulated/0/Telegram/Telegram Video/’ (inner storage) or in ‘/storage/<SD Card ID>/Telegram/Telegram Video/’ (exterior storage).
ESET shared a video demonstrating the Telegram zero-day exploit, which will be watched beneath.
