close
close

Telegram releases patch for zero-day vulnerability that allowed attackers to send APKs as video files

Posted on by darion


Cybersecurity firm ESET has reported that the Android version of the Telegram messenger contains a zero-day vulnerability that could allow a malicious attack.

The APK file to be sent as a video file.

Cursed Tapes: Exploiting EvilVideo’s Telegram Vulnerability on Android
https://www.welivesecurity.com/en/eset-research/cursed-tapes-exploiting-evilvideo-vulnerability-telegram-android/

Telegram Vulnerability Exposed – Cybersecurity Breakdown with Lukas Stefanko – YouTube

Telegram Android Zero-Day Attack Allows Malicious Files to Disguise as Videos
https://therecord.media/telegram-zero-day-android-app-eset

On June 26, 2024, ESET discovered exploit targeting the Android version of Telegram sold on an underground forum. ESET has named the exploit “EvilVideo.”

After analyzing EvilVideo, we found that the exploit works on Android Telegram 10.14.4 and older. EvilVideo relies on a vulnerability that allows users to attach a binary data file to an Android app, which can then be displayed as a multimedia preview in the Android Telegram app. Therefore, when shared in a chat using EvilVideo, the malicious payload appears as a 30-second video.

By default, media files received via Telegram are set to automatically download to the user’s device, so if the user opens that chat, it will automatically download the malicious payload. Even if automatic downloads are disabled, the payload can still be downloaded by tapping the download button in the top left corner.

What’s more, when a user tries to play a file that at first glance looks like a video, Telegram displays the message “This video can’t be played” and asks if they want to use an external player.

After clicking “Open” on the screen above, Telegram will ask you to allow installation of unknown apps.

Once enabled, the app tricks users into installing a malicious app disguised as a third-party player, which then installs malware or other apps on their device.

According to ESET, the exploit did not work on the Windows version.

ESET also immediately reported the vulnerability to Telegram. As a result, version 10.14.5, released on July 11, 2024, correctly displays the APK file as an app rather than a video in the media preview when the APK file is shared in a chat.