Cybersecurity experts have identified a zero-day vulnerability in the Telegram messenger that allowed attackers to send malicious APK files disguised as video files. This vulnerability primarily affected Android users and was successfully exploited to spread malware.
On June 6, an attacker known as Ancryno posted a zero-day exploit for sale on the XSS hacker forum. The exploit, named “EvilVideo,” was discovered by ESET and affected versions of the Telegram app up to 10.14.4 for Android users. The attackers created special APK files that, when sent via Telegram, appeared as embedded videos. When users attempted to play these videos, Telegram suggested using an external player, prompting victims to click the “Open” button and thereby running the malicious code.
Response and Mitigation
ESET tested the exploit and confirmed its functionality. The company reported the problem to Telegram on June 26 and July 4. In response, Telegram released version 10.14.5 of its application on July 11, which addressed the vulnerability. Although a successful attack required several actions by the victim, hackers had at least five weeks to exploit the vulnerability before the patch was released.
Interestingly, despite hackers’ “one-click” claim, the actual process required several steps, reducing the risk of a successful attack. ESET also tested the exploit on Telegram Desktop, but it did not work there because the malicious file was treated as an MP4 video rather than an APK file. The fix in version 10.14.5 now correctly displays APK files in the preview, eliminating the possibility of deceiving recipients.
Recommendations for Users
ESET recommends that users who have recently received videos prompting them to open them using an external app should scan their file system using mobile antivirus software to find and remove malicious files. NIXsolutions reminds that Telegram files are typically stored in “/storage/emulated/0/Telegram/Telegram Video/” (internal storage) or “/storage/<SD Card ID>/Telegram/Telegram Video/” (external storage).
We’ll keep you updated on any further developments regarding this issue and other cybersecurity threats. Make sure your Telegram app is updated to the latest version to stay protected from such vulnerabilities.