Security News > 2024 > July > Telegram zero-day allowed sending malicious Android APKs as videos
A Telegram for Android zero-day vulnerability dubbed 'EvilVideo' allowed attackers to send malicious Android APK payloads disguised as video files.
A threat actor named 'Ancryno' first began selling the Telegram zero-day exploit on June 6, 2024, in a post on the Russian-speaking XSS hacking forum, stating the flaw existed in Telegram v10.14.4 and older.
ESET researchers discovered the flaw after a PoC demonstration was shared on a public Telegram channel, allowing them to obtain the malicious payload. ESET confirmed the exploit worked in Telegram v10.14.4 and older and named it 'EvilVideo.
The EvilVideo zero-day flaw only worked on Telegram for Android and allowed attackers to create specially crafted APK files that, when sent to other users on Telegram, appear as embedded videos.
On its default setting, the Telegram app on Android automatically downloads media files, so channel participants receive the payload on their device once they open the conversation.
For users who have disabled the auto-download, a single tap on the video preview is enough to initiate the file download. When users attempt to play the fake video, Telegram suggests using an external player, which may cause recipients to tap the "Open" button and execute the payload. Next, an additional step is required: the victim must enable the installation of unknown apps from the device settings, allowing the malicious APK file to install on the device.