Attackers Exploit ‘EvilVideo’ Telegram Zero-Day to Hide Malware
Telegram has patched a zero-day flaw found in older versions of its chat and media-sharing application for Android that allows attackers to hide malicious payloads in video files. The exploit, dubbed “EvilVideo,” requires user action to download an unspecified malicious payload.
Researchers from ESET Research discovered the flaw after finding an ad for the exploit on a Russian-language hacker forum on June 6. The exploit works on Telegram versions 10.14.4 and older. To hide the malicious payload, attackers would share an Android app as a multimedia file via Telegram channels, groups, or chat, making it appear as a 30-second video.
The researchers believe that attackers crafted the specific payload using the Telegram API to upload specifically crafted multimedia files programmatically. ESET quickly reported the exploit and the flaw to Telegram, which patched the issue on July 11 with a server-side fix for versions 10.14.5 and above of its Android app.
Users should update their apps immediately to avoid compromise. The exploit requires user action, such as clicking on the video file to play it, where Telegram displays a message suggesting using an external player. If the user taps “open,” a request to install a malicious app pops up, which they must approve to install malware.
ESET tested the exploit on Android, the Telegram Web client, and the Telegram Desktop client for Windows; however, it did not work on the latter two platforms. The researchers have posted indicators of compromise (IoCs) for the exploit on ESET’s GitHub page.
Mobile users are recommended to never download anything on their devices that they receive in messages from anyone they don’t know, especially when they are unsolicited.
Source: https://www.darkreading.com/cyberattacks-data-breaches/attackers-exploit-evilvideo-telegram-zero-day-malware