SECURITY
SECURITY
SECURITY
Now-patched Telegram for Android vulnerability exposed users to malicious videos
Researchers at ESET s.r.o. today shared details of a now-patched vulnerability that was being used to target Telegram for Android users via malicious videos.
The exploit, dubbed “EvilVideo,” could have allowed attackers to share malicious Android payloads via Telegram channels, groups and chats, with the malicious files presenting as multimedia, particularly video files, to users.
The researchers first discovered an example of the exploit for sale at an unspecified price in an unnamed “underground forum” in an advertisement posted on June 6. The ad offered a Telegram exploit with a .apk hidden payload, direct-installation, auto-download and one-click installation. In the post, the seller is said to have shown screenshots and a video of testing the exploit in a public Telegram channel.
Upon obtaining a copy of the exploit, the researchers were able to ascertain that the exploit worked on Telegram for Android versions 10.14.4 and older. The conclusion was that its malicious payload was most likely crafted using a Telegram application programming interface, given that it allows developers to upload specifically crafted files to Telegram programmatically.
Where it gets interesting is what users see. In an example shown, the threat actor was able to create a payload that displays as a 30-second video preview within Telegram for Android, not as a malicious binary attachment.
Should users try to play the “video” they are presented, they’re told that the app is unable to play the video and then are prompted to play it with an external player. Should they hit open at this point, they are then requested to install a malicious app disguised as the “external player.” Should they follow through with the prompts, the Android device becomes infected.
After discovering EvilVideo and ascertaining the basics of what it did, the ESET researchers subsequently reported what it knew to Telegram on June 26 and again on July 4. Telegram responded on July 4 and subsequently fixed the issue being exploited in version 10.14.5 released on July 11.
Any users of Telegram on Android, if they haven’t already, should make sure they’re running the latest version to avoid potential exposure to the vulnerability.
Image: SiliconANGLE/Ideogram
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
