Telegram Vulnerability Let Hackers Disguise Malicious APK as Video

By Riley ThompsonTechnology News

Telegram Vulnerability Allowed Malicious APK Files to Be Disguised as Videos

Security experts from ESET have reported a zero-day vulnerability in Telegram for Android, named EvilVideo. This flaw allowed attackers to send users malicious APK files disguised as video files.

Exploit Sale and Technical Details

According to researchers, a hacker known as Ancryno began selling an exploit for this zero-day issue as early as June 6, 2024. In a post on the XSS hacking forum, the hacker stated that the bug was present in Telegram for Android version 10.14.4 and earlier.

Although the attacker initially claimed the exploit was “one-click” (triggered with a single click and requiring minimal user interaction), in reality, several steps and specific settings were needed for the malicious payload to execute on the victim’s device, which significantly reduced the risk of a successful attack.

Discovery and Patch

ESET specialists discovered the issue after a proof-of-concept (PoC) demonstration was published in a public Telegram channel, allowing them to obtain the malicious payload.

According to ESET’s report, the exploit only worked in Telegram version 10.14.4 and earlier. ESET analyst Lukas Stefanko notified Telegram developers about the problem on June 26 and again on July 4, 2024. Shortly after, Telegram representatives responded that they were investigating the researchers’ report and then fixed the vulnerability in version 10.14.5, released on July 11, 2024.

Real-World Impact and Malicious Files

It is unknown whether this vulnerability was used in real attacks. However, ESET discovered a command-and-control server at infinityhackscharan.ddns[.]net that was used by the malicious payload. According to Bleeping Computer, two malicious APK files using this server were found on VirusTotal. The discovered apps pretended to be Avast Antivirus or xHamster Premium Mod.

How the EvilVideo Exploit Worked

The EvilVideo vulnerability allowed attackers to create special APK files that, when sent to other Telegram users, appeared as embedded videos. Researchers believe the exploit used the Telegram API to programmatically create a message that looked like a 30-second video. Since Telegram for Android automatically downloads media files by default, users would receive the payload on their device as soon as they opened the chat. If automatic downloads were disabled, the user would need to click the preview to initiate the file download.

When a user tried to play the fake video, Telegram would report that it could not open the file and suggest using an external player, which could prompt the victim to click “Open” and execute the payload.

However, an additional step was required, which significantly reduced the effectiveness of such attacks: the victim had to manually allow installation of apps from unknown sources in their settings for the malicious APK to be installed on the device.

Platform Limitations and Fix

ESET experts tested the exploit in the Telegram web client and desktop versions and confirmed that it did not work there, as the payload was recognized as an MP4 video file. In the fixed version of Telegram for Android (10.14.5), APK files are now displayed correctly and can no longer be disguised as videos.

Leave a Reply