Cybersecurity experts have discovered a zero-day vulnerability in the Telegram messenger that allowed attackers to send malicious APK files disguised as video files. The vulnerability affected Android users and was successfully exploited to distribute malware.
Po message resource BleepingComputer, on June 6, on the hacker forum XSS, an attacker nicknamed Ancryno put up for sale a zero-day exploit (a method based on an attack with previously undetected software vulnerabilities) for the Telegram messenger. The vulnerability, dubbed “EvilVideo”, was discovered by ESET specialists and affected versions of the application up to 10.14.4 for Android users.
The attackers created special APK files that, when sent via Telegram, appeared as embedded videos. When attempting to play such a video, Telegram suggested using an external player, which could prompt the victim to click the “Open” button, thereby launching the malicious code.
ESET tested the exploit and confirmed that it worked. On June 26 and July 4, the company’s specialists reported the problem to Telegram management. In response, Telegram released version 10.14.5 of its application on July 11, which fixed the vulnerability. Although a successful attack required several actions on the part of the victim, the hackers had at least five weeks to exploit the vulnerability before releasing a patch.
Interestingly, despite the hackers’ claim of “one click,” the actual process requires multiple steps, reducing the risk of a successful attack. ESET also tested the exploit on Telegram Desktop, but it did not work there because the malicious file was treated as an MP4 video, not an APK file.
The fix in version 10.14.5 now correctly displays APK files in the preview, eliminating the possibility of deceiving recipients. ESET recommends that users who have recently received videos asking to open with an external application perform a file system scan using mobile antivirus software to find and remove malicious files.
As a reminder, Telegram files are usually stored in “/storage/emulated/0/Telegram/Telegram Video/” (internal storage) or “/storage//Telegram/Telegram Video/” (external storage).
If you notice an error, select it with your mouse and press CTRL+ENTER.