Exploit EvilVideo Vulnerability on Telegram for Android

ESET Search

ESET researchers have discovered a Telegram zero-day exploit for Android that allows sending malicious files disguised as videos

Cursed Tapes: Exploit EvilVideo Vulnerability on Telegram for Android

ESET researchers have discovered a zero-day exploit targeting Telegram for Android, which appeared for sale for an unspecified price in an underground forum post on June 6th2024. By using the exploit to abuse a vulnerability we named EvilVideo, attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as media files.

We were able to locate an example of the exploit, which allowed us to analyze it further and report it to Telegram on June 26.th2024. July 11thThey released an update that fixes the vulnerability in Telegram versions 10.14.5 and above.

Figure 1 is a video demonstration and explanation of the EvilVideo vulnerability.

Figure 1. Explanation of the EvilVideo vulnerability

Key points from the blog post:

  • June 26th2024 in an underground forum we found an advertisement for a zero-day exploit targeting Telegram for Android.
  • We named the vulnerability it exploits EvilVideo and reported it to Telegram; their team fixed it on July 11th2024.
  • EvilVideo allows attackers to send malicious payloads that appear as video files in unpatched Telegram for Android.
  • The exploit only works on Telegram Android versions 10.14.4 and earlier.

Discovery

We found the exploit advertised for sale on an underground forum: see Figure 2.

Figure 2. Posting on an underground forum
Figure 2. Posting on an underground forum

In the post, the seller shows screenshots and a video of the exploit being tested on a public Telegram channel. We were able to identify the channel in question, as the exploit is still available. This allowed us to get our hands on the payload and test it ourselves.

Analysis

Our analysis of the exploit revealed that it works on Telegram versions 10.14.4 and earlier. We believe that the specific payload is most likely crafted using the Telegram API, as it allows developers to upload specially crafted media files to Telegram chats or channels programmatically.

The exploit appears to rely on the malicious actor’s ability to craft a payload that displays an Android app as a media preview, rather than as a binary attachment. Once shared in chat, the malicious payload appears as a 30-second video (Figure 3).

Figure 3. Example exploit
Figure 3. Example exploit

By default, media files received via Telegram are set to be downloaded automatically. This means that users who have enabled the option will automatically download the malicious payload once they open the conversation in which it was shared. The option can be disabled manually. In this case, the payload can still be downloaded by tapping the download button in the top-left corner of the shared video, as shown in Figure 3.

If the user tries to play the “video,” Telegram displays a message that it cannot play it and suggests using an external player (see Figure 4). This is an original Telegram warning that we found in the source code of the legitimate Telegram app for Android; it was not crafted and delivered by the malicious payload.

Figure 4. Telegram warning that it cannot play the “video”
Figure 4. Telegram warning that it cannot play the “video”

However, if the user presses the Open button in the displayed message, he or she will be asked to install a malicious application disguised as the aforementioned external player. As shown in Figure 5, before installation, Telegram will ask the user to allow the installation of unknown applications.

Figure 5. Telegram asks user to allow it to install unknown apps
Figure 5. Telegram asks user to allow it to install unknown apps

At this point, the malicious application in question has already been downloaded as an apparent video file, but with the .apk Interestingly, it is the nature of the vulnerability that makes the shared file look like a video: the malicious application has not been modified to masquerade as a media file, suggesting that the download process was most likely exploited. The malicious application’s installation request can be seen in Figure 6.

Figure 6. Malicious payload installation request, detected as AndroidSpy.SpyMax.T after exploitation
Figure 6. Malicious payload installation request, detected as Android/Spy.SpyMax.T after exploitation

Unfortunately, we were unable to reproduce the feat, but only inspect and verify the sample shared by the seller.

Telegram Web and Desktop

Even though the payload was designed to target Telegram for Android only, we still tried to test its behavior on other Telegram clients. We tested both the Telegram web client and the Telegram desktop client for Windows – as expected, the exploit didn’t work on either.

In the case of Telegram Web, after trying to play the “video,” the client displayed an error message indicating to try opening the video with the desktop application instead (see Figure 7). Manually downloading the attached file revealed that its name and extension were Sucking.mp4. Although the file itself is actually an Android executable binary (APK), the fact that Telegram treats it as an MP4 file prevented the exploit from working: for it to succeed, the attachment would have had to have the .apk extension.

A very similar thing happened with the Telegram Desktop client for Windows: the downloaded file was named Teaching.apk.mp4so it was again a binary APK file with a .mp4 extension. This suggests that even if an attacker created a Windows executable to use instead of the Android APK, it would still be treated as a media file and the exploit would not work.

Figure 7. Telegram Web error message when triggering the exploit
Figure 7. Telegram Web error message when triggering the exploit

Threat Actor

While we don’t know much about the threat actor, we managed to find another dubious service they provide based on the Telegram handle the vendor shared in their forum post. In addition to the exploit, they are using the same underground forum to advertise an Android cryptor-as-a-service that they claim to be completely undetectable (FUD) since January 11th2024. The forum message can be seen in Figure 8.

Figure 8. Post on an underground forum promoting an Android cryptor-as-a-service
Figure 8. Post on an underground forum promoting an Android cryptor-as-a-service

Vulnerability Report

After discovering the EvilVideo vulnerability on June 26th2024, we followed our coordinated disclosure policy and reported it to Telegram, but received no response at the time. We reported the vulnerability again on July 4ththand at that time, Telegram contacted us the same day to confirm that their team was investigating EvilVideo. They fixed the issue and released version 10.14.5 on July 11ththand informed us by email.

The vulnerability affected all versions of Telegram for Android up to 10.14.4, but has been fixed starting with 10.14.5. As we verified, the chat media preview now correctly displays that the shared file is an app (Figure 9) and not a video.

Figure 9. Telegram version 10.14.5 chat correctly displaying the nature of the shared binary file
Figure 9. Telegram version 10.14.5 chat correctly displaying the nature of the shared binary file

Conclusion

We discovered a Telegram zero-day for Android for sale on an underground forum. The vulnerability it exploits allows malicious payloads that look like media files to be sent via Telegram chat. If a user tries to play the apparent video, they will be prompted to install an external app, which actually installs the malicious payload. Fortunately, the vulnerability was patched on July 11th2024, after reporting it to Telegram.

For any questions regarding our research published on WeLiveSecurity, please contact us at threatintel@eset.com
ESET Research offers intelligence reports and private data feeds on APT threats. For inquiries about this service, visit ESET Threat Intelligence page.

IoC

A complete list of Indicators of Compromise (IoCs) and examples can be found in our GitHub repository.

Files

SHA-1

File name

Detection

Description

F159886DCF9021F41EAA
2B0641A758C4F0C4033D

Teating.apk

Android/Spy.SpyMax.T

EvilVideo payload.

Network

Intellectual property

Domain

Hosting provider

First seen

Details

183.83.172[.]232

infinityhackscharan.
ddns[.]net

Administrator Beam Cable System

2024-07-16

EvilVideo Payload C&C Server.

MITRE ATT&CK Techniques

This table was constructed using version 15 MITER ATT&CK mobile techniques.

Tactical

IDENTIFIER

Name

Description

Initial access

T1664

Exploitation for initial access

The EvilVideo vulnerability can be exploited by Android malware to gain initial access to the device.

Execution

T1658

Exploitation for client execution

The EvilVideo vulnerability tricks the victim into installing a malicious application that impersonates a media file.

Leave a Comment