ESET Search
ESET researchers have discovered a Telegram zero-day exploit for Android that allows sending malicious files disguised as videos
July 22, 2024
•
,
6 min. reading time

ESET researchers have discovered a zero-day exploit targeting Telegram for Android, which appeared for sale for an unspecified price in an underground forum post on June 6th2024. By using the exploit to abuse a vulnerability we named EvilVideo, attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as media files.
We were able to locate an example of the exploit, which allowed us to analyze it further and report it to Telegram on June 26.th2024. July 11thThey released an update that fixes the vulnerability in Telegram versions 10.14.5 and above.
Figure 1 is a video demonstration and explanation of the EvilVideo vulnerability.
Figure 1. Explanation of the EvilVideo vulnerability
Key points from the blog post:
- June 26th2024 in an underground forum we found an advertisement for a zero-day exploit targeting Telegram for Android.
- We named the vulnerability it exploits EvilVideo and reported it to Telegram; their team fixed it on July 11th2024.
- EvilVideo allows attackers to send malicious payloads that appear as video files in unpatched Telegram for Android.
- The exploit only works on Telegram Android versions 10.14.4 and earlier.
Discovery
We found the exploit advertised for sale on an underground forum: see Figure 2.

In the post, the seller shows screenshots and a video of the exploit being tested on a public Telegram channel. We were able to identify the channel in question, as the exploit is still available. This allowed us to get our hands on the payload and test it ourselves.
Analysis
Our analysis of the exploit revealed that it works on Telegram versions 10.14.4 and earlier. We believe that the specific payload is most likely crafted using the Telegram API, as it allows developers to upload specially crafted media files to Telegram chats or channels programmatically.
The exploit appears to rely on the malicious actor’s ability to craft a payload that displays an Android app as a media preview, rather than as a binary attachment. Once shared in chat, the malicious payload appears as a 30-second video (Figure 3).

By default, media files received via Telegram are set to be downloaded automatically. This means that users who have enabled the option will automatically download the malicious payload once they open the conversation in which it was shared. The option can be disabled manually. In this case, the payload can still be downloaded by tapping the download button in the top-left corner of the shared video, as shown in Figure 3.
If the user tries to play the “video,” Telegram displays a message that it cannot play it and suggests using an external player (see Figure 4). This is an original Telegram warning that we found in the source code of the legitimate Telegram app for Android; it was not crafted and delivered by the malicious payload.

However, if the user presses the Open button in the displayed message, he or she will be asked to install a malicious application disguised as the aforementioned external player. As shown in Figure 5, before installation, Telegram will ask the user to allow the installation of unknown applications.

At this point, the malicious application in question has already been downloaded as an apparent video file, but with the .apk Interestingly, it is the nature of the vulnerability that makes the shared file look like a video: the malicious application has not been modified to masquerade as a media file, suggesting that the download process was most likely exploited. The malicious application’s installation request can be seen in Figure 6.

Unfortunately, we were unable to reproduce the feat, but only inspect and verify the sample shared by the seller.
Telegram Web and Desktop
Even though the payload was designed to target Telegram for Android only, we still tried to test its behavior on other Telegram clients. We tested both the Telegram web client and the Telegram desktop client for Windows – as expected, the exploit didn’t work on either.
In the case of Telegram Web, after trying to play the “video,” the client displayed an error message indicating to try opening the video with the desktop application instead (see Figure 7). Manually downloading the attached file revealed that its name and extension were Sucking.mp4. Although the file itself is actually an Android executable binary (APK), the fact that Telegram treats it as an MP4 file prevented the exploit from working: for it to succeed, the attachment would have had to have the .apk extension.
A very similar thing happened with the Telegram Desktop client for Windows: the downloaded file was named Teaching.apk.mp4so it was again a binary APK file with a .mp4 extension. This suggests that even if an attacker created a Windows executable to use instead of the Android APK, it would still be treated as a media file and the exploit would not work.

Threat Actor
While we don’t know much about the threat actor, we managed to find another dubious service they provide based on the Telegram handle the vendor shared in their forum post. In addition to the exploit, they are using the same underground forum to advertise an Android cryptor-as-a-service that they claim to be completely undetectable (FUD) since January 11th2024. The forum message can be seen in Figure 8.

Vulnerability Report
After discovering the EvilVideo vulnerability on June 26th2024, we followed our coordinated disclosure policy and reported it to Telegram, but received no response at the time. We reported the vulnerability again on July 4ththand at that time, Telegram contacted us the same day to confirm that their team was investigating EvilVideo. They fixed the issue and released version 10.14.5 on July 11ththand informed us by email.
The vulnerability affected all versions of Telegram for Android up to 10.14.4, but has been fixed starting with 10.14.5. As we verified, the chat media preview now correctly displays that the shared file is an app (Figure 9) and not a video.

Conclusion
We discovered a Telegram zero-day for Android for sale on an underground forum. The vulnerability it exploits allows malicious payloads that look like media files to be sent via Telegram chat. If a user tries to play the apparent video, they will be prompted to install an external app, which actually installs the malicious payload. Fortunately, the vulnerability was patched on July 11th2024, after reporting it to Telegram.
For any questions regarding our research published on WeLiveSecurity, please contact us at threatintel@eset.comESET Research offers intelligence reports and private data feeds on APT threats. For inquiries about this service, visit ESET Threat Intelligence page.
IoC
A complete list of Indicators of Compromise (IoCs) and examples can be found in our GitHub repository.
Files
SHA-1 | File name | Detection | Description |
F159886DCF9021F41EAA | Teating.apk | Android/Spy.SpyMax.T | EvilVideo payload. |
Network
Intellectual property | Domain | Hosting provider | First seen | Details |
183.83.172[.]232 | infinityhackscharan. | Administrator Beam Cable System | 2024-07-16 | EvilVideo Payload C&C Server. |
MITRE ATT&CK Techniques
This table was constructed using version 15 MITER ATT&CK mobile techniques.
Tactical | IDENTIFIER | Name | Description |
Initial access | Exploitation for initial access | The EvilVideo vulnerability can be exploited by Android malware to gain initial access to the device. | |
Execution | Exploitation for client execution | The EvilVideo vulnerability tricks the victim into installing a malicious application that impersonates a media file. |