“EvilVideo” Zero-Day Exploit Targets Android Telegram Users
In April, reports emerged of a critical security vulnerability in the desktop version of the instant messaging application Telegram. Attackers could infect a user’s system simply by sending specially crafted media files, exploiting Telegram’s default setting to automatically download media files without user interaction.
Recently, researchers from the renowned security software developer ESET disclosed another critical security vulnerability in Telegram. This flaw was discovered and exploited by hackers as early as June 6 and was not patched by Telegram until the release of version 10.14.5 on July 11. Initially, ESET researchers discovered a hacker named Ancryno selling this vulnerability on a Russian XSS hacker forum. After conducting a proof of concept (PoC), ESET confirmed the vulnerability’s authenticity, noting that it affected only the Android version of Telegram.
Hackers could create a specially crafted APK file and send it to Telegram users, where it would appear as an embedded video. If Telegram’s automatic media download feature was enabled, the file would be downloaded automatically. When the user attempted to play the video, the Android system would display an open button. Clicking this button would install the malicious APK file, provided that the user had already enabled the installation of applications from unknown sources in the settings. Otherwise, the system would prompt the user that they were attempting to open an APK file.
Although ESET researchers disclosed the vulnerability to Telegram on June 26, the fix took a considerable amount of time. Telegram responded to ESET on July 4, stating that they were investigating, and the patch was not released until July 11.
From the time the hacker posted on June 6 until the patch on July 11, the vulnerability was exploitable for over a month. Telegram has not disclosed whether any hackers actively exploited this vulnerability during that period.
This vulnerability is similar to the flaw found in the desktop version of Telegram, as both exploit certain deficiencies in the Telegram API to disguise crafted files as media, thereby enabling automatic download by Telegram.
Users are advised to disable the automatic media download feature in Telegram to prevent attackers from exploiting similar vulnerabilities for targeted attacks.
