Limit your trust in Social media apps - Telegram Zero-Day Malware delivery

ESET has uncovered a significant vulnerability in Telegram for Android, named EvilVideo, which has been exploited by hackers to distribute malicious files disguised as videos. This security flaw was discovered after ESET identified an advertisement for a zero-day exploit on a cybercrime forum, targeting Telegram for Android users.

The exploit, likely developed using the Telegram API, allows attackers to upload crafted multimedia files to Telegram chats or channels. The vulnerability permits the delivery of payloads containing APK files (Android executables) that appear as multimedia previews due to the automatic download feature in Telegram.

When attempting to play the fake video, Telegram displays a message suggesting the video be opened in an external player. If the user agrees, they are prompted to install a malicious app posing as a video player and enable the installation of unknown applications.

Affected Versions are 10.14.4 and earlier

The flaw is patched in version: 10.14.5

The zero-day exploit was available for sale since early June 2024. Telegram patched the vulnerability on July 11, 2024, with a server-side fix deployed on July 9, 2024.

Telegram emphasized that this was not a vulnerability within Telegram itself but an exploitation method that took advantage of the user’s interaction with Android settings and that the exploit required multiple user actions:

• opening the video,
• adjusting safety settings,
• manually installing a suspicious app.

Users are strongly advised to update to version 10.14.5 of Telegram for Android. More importantly, users should NOT trust any files sent via social media apps - especially if you haven't requested the file. Even if you have requested the file, be very careful about content from Social media - too many hackers and too many exploit vectors there.