ESET researchers have uncovered a zero-day vulnerability named “EvilVideo” that targets Telegram for Android, enabling attackers to send malicious payloads disguised as video files.
On June 6, 2024, a zero-day exploit targeting Telegram for Android appeared for sale on an underground forum. This exploit, leveraging a vulnerability named “EvilVideo,” was tested by ESET researcher Lukas Stefanko, who confirmed it allows attackers to distribute malicious Android payloads through Telegram channels, groups, and chats, masquerading them as multimedia files.
The exploit seller showcased screenshots and a video demonstrating the exploit in a public Telegram channel. On June 26, 2024, ESET reported the vulnerability to Telegram. The team at Telegram responded by releasing a patch on July 11, 2024, in version 10.14.5 of the app.
EvilVideo breakdown
The EvilVideo exploit affects Telegram for Android versions 10.14.4 and earlier. It likely utilizes the Telegram API to craft malicious multimedia files that appear as video previews in chats. Upon receiving these files, users with automatic media download enabled would inadvertently download the malicious payload.
Once the user attempts to play the video, Telegram displays a message indicating it cannot play the file and suggests using an external player. If the user follows this suggestion, they are prompted to install a malicious app disguised as an external player. This app, detected as Android/Spy.SpyMax.T, is downloaded as an apparent video file with an .apk extension. The exploit's nature misleads the Telegram preview into displaying the file as a video, even though it is an APK.
The exploit specifically targets Telegram for Android and has no impact on Telegram Web or Telegram Desktop clients. In ESET's tests on the latter two, the payloads were treated as multimedia files, preventing the exploit from functioning.
While the exact identity of the threat actor remains unknown, ESET discovered that the same individual has been advertising an Android cryptor-as-a-service on the same forum since January 2024. This service claims to be fully undetectable, though ESET has not tested those claims.
Telegram's resolution
Following the discovery of EvilVideo on June 26, 2024, ESET reported the issue to Telegram. Although initially unresponsive, Telegram's team confirmed the investigation on July 4, 2024, and issued a fix with the release of version 10.14.5 on July 11, 2024. The updated version correctly identifies shared files as applications, preventing the exploit from deceiving users.
If you are using Telegram on Android, you are advised to upgrade to the latest version as soon as possible. If you've recently received video files leading to installing APKs via Telegram, consider yourself breached and immediately initiate a clean-up procedure. It is unknown for how long this zero-day has been available to the exploit seller and how many cybercriminals might have been leveraging it in attacks.
BITR
Another good share Alex.
Moble data networks pose as much convenience as they do harm to breach your trust, make you prey and helpless to resist attack.
You know it seems just dumb to use a smartphone anymore. People go out in public and live on this little computer with a big chance missed.
The chance of a live conversation in person with someone.
Smartphones offer a wide range of apps that can compromise their users privacy. Even with privacy-focused alternatives tools, smartphones still present a higher risk of data exposure due to the sheer number of apps and services they support.
Ground your use of moble data networks and use only land cables for you internet useage needs.
Would be the smart thing to do, yeh?
BITR
Wise would be using phones/devices with an operating system based on AOSP stack on Android™ OS over 4G/LTE.
In a nutshell, the open-source component of Android is the Android Open Source Project (AOSP). GMS, on the other hand, lives on top of AOSP and provides much of the nice-to-have functionality you may have come to expect from modern-day Android.
(GMS) apps and services allow Google to profit from Android without charging anything upfront.
The simple Android Open Source Project is often confused with “stock Android”. AOSP is the bedrock of modern Android skins like One UI and MIUI. AOSP contains everything developers need to build Android, it crucially doesn’t include everything you need for a finished smartphone.
AOSP also doesn’t come with Google’s suite of software applications, such as its Chrome browser, YouTube, and even the Google Play Store. It also doesn’t include a number of Google’s under-the-hood technologies and APIs that enable features like mobile payments, voice commands, and cloud storage.
[https://www.androidauthority.com/aosp-explained-1093505/]
[https://www.androidauthority.com/google-mobile-services-gms-3025963/]