Attackers Exploit 'EvilVideo' Telegram Zero-Day to Hide Malware

An exploit sold on an underground forum requires user action to download an unspecified malicious payload.

Computer screen that shows the screen of an open Telegram app
Source: Dzmitry Kilapitski via Alamy Stock Photo

Telegram has patched a zero-day flaw found in older versions of its chat and media-sharing application for Android that allows attackers to hide malicious payloads in video files.

Researchers from ESET Research discovered the flaw, which they dubbed "EvilVideo," after finding an ad for the exploit on a Russian-language hacker forum on June 6. The exploit works on Telegram versions 10.14.4 and older.

"Using the exploit … attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files," ESET malware researcher Lukas Stefanko explained in a post on ESET's WeLiveSecurity blog.

The exploit appears to rely on a threat actor being able to create a payload that displays an Android app as a multimedia preview and not as a binary attachment, according to ESET. Once shared in chat, the malicious payload (the behavior of which was not specified) appears as a 30-second video.

The researchers believe that attackers crafted the specific payload using the Telegram API, "since it allows developers to upload specifically crafted multimedia files to Telegram chats or channels programmatically," Stefanko wrote.

ESET quickly reported the exploit and the flaw to Telegram, which didn't respond initially, spurring the researchers to contact the organization again on July 5. Telegram responded to the second contact effort, and on July 11 issued a server-side fix for versions 10.14.5 and above of its Android app. Users should update their apps immediately to avoid compromise.

Exploit Requires User Action

Media files received by Telegram users are set to download automatically; if users have this option on by default and receive a media file with a malicious payload, it also will start downloading immediately when they open the conversation in which it was shared. This option can be turned off, in which case a media file can be downloaded manually by the user.

In the case of the exploit, since the video is displayed as a multimedia preview, a user must click on it to play it. If they do this, Telegram displays a message that it is unable to play it and suggests using an external player, giving the user an option to "cancel" or "open" the file. This is an original Telegram warning that's not specific to the payload, the researchers said.

If the user taps the "open" button in the displayed message, a request to install a malicious app disguised as the aforementioned external player pops up, which the user must approve to install malware.

"Interestingly, it is the nature of the vulnerability that makes the shared file look like a video; the actual malicious app was not altered to pose as a multimedia file, which suggests that the upload process was most likely exploited," Stefanko noted.

ESET tested the exploit not only Android but also on the Telegram Web client and the Telegram Desktop client for Windows; however, it did not work on the latter two platforms.

Attacker Provides Other 'Shady' Services

Though the researchers acknowledged that the extra step of actually having to install the alleged external player decreases the likelihood of a successful attack, threat actors had five weeks between discovery of the flaw and Telegram's fix that gave them ample time to use the exploit. Telegram is a major conduit for cyberattacks in various forms, not only through attackers hacking accounts or delivering malicious files but also through various channels and apps that are available for the platform.

ESET has not identified who is behind the exploit, but did find another "shady service" that its sellers provide based on the Telegram handle shared in the forum post: an Android cryptor-as-a-service that is promoted as being "fully undetectable," and has been on sale since Jan. 11.

The researchers have posted a list of indicators of compromise (IoCs) for the exploit on ESET's GitHub page. Mobile users are recommended to never download anything on their devices that they receive in messages from anyone they don't know, especially when they are unsolicited.

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights