Telegram Zero-Day for Android Let Attackers Hide Files in Fake Videos
A zero-day flaw in Telegram’s Android app allowed attackers to send malicious files that posed as videos, according to cybersecurity researchers at ESET.
The files could be sent to an unsuspecting Android user as a direct message or as a message in a group or channel. Because the Telegram for Android app automatically downloads media by default, any Android Telegram app user who didn’t turn that off could have been vulnerable to the malicious file, which would have downloaded as soon as the conversation was opened.
Clicking on the fake video triggered a real Telegram pop-up error message: “App was unable to play this video. Try to play it with external player?” The user then had the option to cancel or open the file. If they clicked “Open,” however, they would also have to allow Android Package Kit (APK) file installation from the Telegram app. So users would have to take a number of actions in order to enable the malicious payload, but the file-in-disguise and misclassification from Telegram still posed an obvious concern.
ESET discovered the “EvilVideo” exploit being advertised for sale on a dark-web forum and reported it to Telegram last month. While it’s unclear whether anyone actually fell for the scam, Telegram pushed a fix in Android update 10.14.5 on July 11. It’s possible the exploit may have been due to an upload issue on the Android app, as APK files are now clearly marked post-fix.
This exploit didn’t hit the iOS, desktop or Windows desktop apps. But considering Telegram’s Android app has seen over a billion downloads, that’s still a massive base of potential victims.
Telegram, however, doesn’t see the exploit as a real concern. “This exploit is not a vulnerability in Telegram. It would have required users to open the video, adjust Android safety settings and then manually install a suspicious-looking ‘media app,'” a rep for Telegram tells PCMag. Regardless, the rep confirmed that the issue has since been fixed.
Hackers and cybercriminals typically buy and sell malware, spyware, ransomware, and other software exploits on the dark web. But not all of them are underground—some are even selling phishing kits via Telegram itself.
Editor’s Note: This story has been updated to include comment from Telegram.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
link