Exploiting the EvilVideo vulnerability on Telegram for Android

ESET Research

ESET researchers discovered a zero-day Telegram for Android exploit that allows sending malicious files disguised as videos

ESET researchers discovered a zero-day exploit that targets Telegram for Android, which appeared for sale for an unspecified price in an underground forum post from June 6th, 2024. Using the exploit to abuse a vulnerability that we named EvilVideo, attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files.

We were able to locate an example of the exploit, allowing us to analyze it further, and report it to Telegram on June 26th, 2024. On July 11th, they released an update that fixes the vulnerability in Telegram versions 10.14.5 and above.

Figure 1 is a video demonstration and explanation of the EvilVideo vulnerability.

Figure 1. Explanation of the EvilVideo vulnerability

Key points of the blogpost:

  • On June 26th, 2024 in an underground forum, we found an advertisement for a zero-day exploit that targets Telegram for Android.
  • We named the vulnerability it exploits EvilVideo and reported it to Telegram; their team patched it on July 11th, 2024.
  • EvilVideo allows attackers to send malicious payloads that appear as video files in unpatched Telegram for Android.
  • The exploit only works on Android Telegram versions 10.14.4 and older.

Discovery

We found the exploit being advertised for sale on an underground forum: see Figure 2.

Figure 2. Post on an underground forum
Figure 2. Post on an underground forum

In the post, the seller shows screenshots and a video of testing the exploit in a public Telegram channel. We were able to identify the channel in question, with the exploit still available. That allowed us to get our hands on the payload and test it ourselves.

Analysis

Our analysis of the exploit revealed that it works on Telegram versions 10.14.4 and older. We speculate that the specific payload is most likely crafted using the Telegram API, since it allows developers to upload specifically crafted multimedia files to Telegram chats or channels programmatically.

The exploit seems to rely on the threat actor being able to create a payload that displays an Android app as a multimedia preview and not as a binary attachment. Once shared in chat, the malicious payload appears as a 30-second video (Figure 3).

Figure 3. Example of exploit
Figure 3. Example of the exploit

By default, media files received via Telegram are set to download automatically. This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared. The option can be disabled manually – in that case, the payload can still be downloaded by tapping the download button in the top left corner of the shared, apparent video, as is visible in Figure 3.

If the user tries to play the “video”, Telegram displays a message that it is unable to play it and suggests using an external player (see Figure 4). This is an original Telegram warning we found in the source code of the legitimate Telegram for Android app; it is not crafted and pushed by the malicious payload.

Figure 4. Telegram warning that it can’t play the “video”
Figure 4. Telegram warning that it can’t play the “video”

However, if the user taps the Open button in the displayed message, they will be requested to install a malicious app disguised as the aforementioned external player. As seen in Figure 5, before installation, Telegram will ask the user to enable the installation of unknown apps.

Figure 5. Telegram requests the user to allow it to install unknown apps
Figure 5. Telegram requests the user to allow it to install unknown apps

At this point, the malicious app in question has already been downloaded as the apparent video file, but with the .apk extension. Interestingly, it is the nature of the vulnerability that makes the shared file look like a video – the actual malicious app was not altered to pose as a multimedia file, which suggests that the upload process was most likely exploited. The malicious app’s installation request can be seen in Figure 6.

Figure 6. Request to install malicious payload, detected as AndroidSpy.SpyMax.T after exploitation
Figure 6. Request to install malicious payload, detected as Android/Spy.SpyMax.T after exploitation

Unfortunately, we were unable to replicate the exploit, only inspect and verify the sample shared by the seller.

Telegram Web and Desktop

Even though the payload was made solely to target Telegram for Android, we still tried to test its behavior on other Telegram clients. We tested both the Telegram Web client and the Telegram Desktop client for Windows – as expected, the exploit did not work on either of them.

In the case of Telegram Web, after we tried playing the “video”, the client displayed an error message saying to try opening the video with the desktop app instead (see Figure 7). Downloading the attached file manually revealed its name and extension to be Teating.mp4. We recently uncovered a zero-day exploit for Telegram on Android being sold on an underground forum. This exploit allowed malicious payloads disguised as multimedia files to be sent through Telegram chats. When users attempted to play these fake videos, they were prompted to install an external app, which was actually the malicious payload. Fortunately, we reported this vulnerability to Telegram, and they promptly fixed it with the release of version 10.14.5 on July 11th, 2024.

The exploit took advantage of Telegram treating Android executable binaries (APKs) as MP4 files, preventing the attack from being successful. Even if an attacker crafted a Windows executable, it would still be recognized as a multimedia file, thwarting the exploit.

Our research led us to discover additional suspicious activity by the threat actor behind this exploit. They were also offering an Android cryptor-as-a-service on the same underground forum, claiming it to be fully undetectable (FUD) since January 11th, 2024.

Following our coordinated disclosure policy, we reported the EvilVideo vulnerability to Telegram on June 26th, 2024. After receiving no response initially, we reported it again on July 4th. Telegram responded promptly, confirming their investigation of the issue. The vulnerability was patched in version 10.14.5, and Telegram informed us via email.

For more details on this research and our other findings, feel free to reach out to us at threatintel@eset.com. We also offer private APT intelligence reports and data feeds through ESET Threat Intelligence.

To access a comprehensive list of Indicators of Compromise (IoCs) and samples related to this exploit, visit our GitHub repository. Additionally, we have included relevant MITRE ATT&CK techniques used in this attack.

Thank you for following our research on WeLiveSecurity, and we hope this information helps protect you against similar threats in the future. essay in your own words.

Leave a Reply

Your email address will not be published. Required fields are marked *