Researchers at ESET s.r.o. today shared details of a now-patched vulnerability that was being used to target Telegram for Android users via malicious videos.

The exploit, dubbed “EvilVideo,” could have allowed attackers to share malicious Android payloads via Telegram channels, groups and chats, with the malicious files presenting as multimedia, particularly video files, to users.

The researchers first discovered an example of the exploit for sale at an unspecified price in an unnamed “underground forum” in an advertisement posted on June 6. The ad offered a Telegram exploit with a .apk hidden payload, direct-installation, auto-download and one-click installation. In the post, the seller is said to have shown screenshots and a video of testing the exploit in a public Telegram channel.

Upon obtaining a copy of the exploit, the researchers were able to ascertain that the exploit worked on Telegram for Android versions 10.14.4 and older. The conclusion was that its malicious payload was most likely crafted using a Telegram application programming interface, given that it allows developers to upload specifically crafted files to Telegram programmatically.

Where it gets interesting is what users see. In an example shown, the threat actor was able to create a payload that displays as a 30-second video preview within Telegram for Android, not as a malicious binary attachment.

Should users try to play the “video” they are presented, they’re told that the app is unable to play the video and then are prompted to play it with an external player. Should they hit open at this point, they are then requested to install a malicious app disguised as the “external player.” Should they follow through with the prompts, the Android device becomes infected.

After discovering EvilVideo and ascertaining the basics of what it did, the ESET researchers subsequently reported what it knew to Telegram on June 26 and again on July 4. Telegram responded on July 4 and subsequently fixed the issue being exploited in version 10.14.5 released on July 11.

Any users of Telegram on Android, if they haven’t already, should make sure they’re running the latest version to avoid potential exposure to the vulnerability.

Image: SiliconANGLE/Ideogram