Telegram zero-day allowed sending malicious Android APKs as videos

A Telegram for Android zero-day vulnerability dubbed 'EvilVideo' allowed attackers to send malicious Android APK payloads disguised as video files.

A threat actor named 'Ancryno' first began selling the Telegram zero-day exploit on June 6, 2024, in a post on the Russian-speaking XSS hacking forum, stating the flaw existed in Telegram v10.14.4 and older.

ESET researchers discovered the flaw after a PoC demonstration was shared on a public Telegram channel, allowing them to obtain the malicious payload.

Threat actor selling the exploit on a hacking forum
Source: ESET

ESET confirmed the exploit worked in Telegram v10.14.4 and older and named it 'EvilVideo.' ESET researcher Lukas Stefanko responsibly disclosed the flaw to Telegram on June 26 and again on July 4, 2024.

Telegram responded on July 4, stating they were investigating the report and then patched the vulnerability in version 10.14.5, released on July 11, 2024.

This means the threat actors had at least five weeks to exploit the zero-day before it was patched.

While it is unclear if the flaw was actively exploited in attacks, ESET shared a command and control server (C2) used by the payloads at 'infinityhackscharan.ddns[.]net.'

BleepingComputer found two malicious APK files using that C2 on VirusTotal [1, 2] that pretend to be Avast Antivirus or an 'xHamster Premium Mod.'

Telegram zero-day exploit

The EvilVideo zero-day flaw only worked on Telegram for Android and allowed attackers to create specially crafted APK files that, when sent to other users on Telegram, appear as embedded videos.

ESET believes that the exploit uses the Telegram API to programmatically create a message that appears to show a 30-second video.

APK file previewed as a 30-sec clip
Source: ESET

On its default setting, the Telegram app on Android automatically downloads media files, so channel participants receive the payload on their device once they open the conversation.

For users who have disabled the auto-download, a single tap on the video preview is enough to initiate the file download.

When users attempt to play the fake video, Telegram suggests using an external player, which may cause recipients to tap the "Open" button and execute the payload.

Prompt to launch an external video player
Source: ESET

Next, an additional step is required: the victim must enable the installation of unknown apps from the device settings, allowing the malicious APK file to install on the device.​

Step requiring the approval of APK installation
Source: ESET

Though the threat actor claims the exploit is "one-click," the fact that it requires multiple clicks, steps, and specific settings for a malicious payload to be executed on a victim's device significantly reduces the risk of a successful attack.

ESET tested the exploit on Telegram's web client and Telegram Desktop and found that it doesn't work there because the payload is treated as an MP4 video file.

Telegram's fix in version 10.14.5 now displays the APK file correctly in the preview, so recipients can no longer be deceived by what would appear as video files.

If you recently received video files that requested an external app to play via Telegram, perform a filesystem scan using a mobile security suite to locate and remove the payloads from your device.

Typically, Telegram video files are stored in '/storage/emulated/0/Telegram/Telegram Video/' (internal storage) or in '/storage/<SD Card ID>/Telegram/Telegram Video/' (external storage).

ESET shared a video demonstrating the Telegram zero-day exploit, which can be watched below.