Telegram Zero-Day Vulnerability Exploited Using Malicious Video Files
ESET researchers nowadays found a severe zero-day vulnerability in the Telegram messaging app for Android, doubtlessly exposing hundreds and hundreds of users to malicious attacks.
The exploit, dubbed “EvilVideo,” allowed attackers to hide sinful Android payloads as innocuous video files that could be disbursed thru Telegram channels, teams, and non-public chats.
The vulnerability modified into first acknowledged when ESET researchers chanced on an advertisement for the exploit on an underground forum on June 6, 2024. The exercise of the alias “Ancryno,” the seller equipped the zero-day for an undisclosed mark, claiming it worked on Telegram variations 10.14.4 and older.
This knowledge enabled ESET researchers to trace down the channel, fabricate the payload, and produce a detailed analysis.
ESET’s investigation printed that the exploit affects Telegram variations 10.14.4 and older. The payload, doubtless crafted the exercise of the Telegram API, masquerades as a 30-2d video.
How is the Telegram Zero-Day Vulnerability Exploited?
If an person makes an are trying to play the “video,” Telegram displays an error message suggesting the exercise of an external player. Tapping the Begin button in this message prompts the installation of a malicious app disguised as an external player.
Telegram then requests the particular person to permit the installation of unknown apps, main to the installation of the malicious app. The malicious app is downloaded as an obvious video file nonetheless with a .apk extension, exploiting the vulnerability to appear as a multimedia file.
When shared in a chat, the malicious payload looks as a multimedia file, leveraging Telegram’s default atmosphere to robotically obtain media files. Users with this atmosphere enabled would robotically obtain the malicious payload upon opening the dialog.
ESET researchers promptly reported the vulnerability to Telegram on June 26, 2024, and again on July 4. Telegram acknowledged the project and launched a patch in version 10.14.5 on July 11, 2024, effectively closing the security hole.
Whereas it remains unclear if the exploit modified into ragged in sincere-world attacks, the chance of normal distress modified into indispensable given Telegram’s recognition, with over a billion downloads of its Android app.
The menace actor gradual EvilVideo moreover affords an Android cryptor-as-a-carrier, claiming it is miles entirely undetectable (FUD). This carrier has been advertised on the same underground forum since January 11, 2024.
Telegram users are strongly if truth be told helpful to update their app to the latest version and exercise warning when interacting with media files from unknown sources. This event serves as a reminder of the power dangers in the digital panorama and the severe feature of cybersecurity overview in maintaining users from emerging threats.
IoCs
A comprehensive list of Indicators of Compromise (IoCs) and samples will also be existing in our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
| F159886DCF9021F41EAA 2B0641A758C4F0C4033D |
Teating.apk | Android/Ogle.SpyMax.T | EvilVideo payload. |
Network
| IP | Arena | Hosting provider | First considered | Runt print |
| 183.83.172[.]232 | infinityhackscharan. ddns[.]web |
Administrator Beam Cable System | 2024‑07‑16 | C&C server of EvilVideo payload. |
MITRE ATT&CK systems
This table modified into built the exercise of version 15 of the MITRE ATT&CK cell systems.
| Tactic | ID | Establish | Description |
| Preliminary Procure entry to | T1664 | Exploitation for Preliminary Procure entry to | The EvilVideo vulnerability will also be abused by Android malware to create preliminary machine access. |
| Execution | T1658 | Exploitation for Consumer Execution | The EvilVideo vulnerability systems the victim into putting in a malicious app that impersonates a multimedia file. |
Source credit : cybersecuritynews.com
