Attackers Exploit Telegram 'EvilVideo' Zero-Day to Disguise Malware
Introduction
A newly discovered zero-day vulnerability in older versions of Telegram's Android app has been exploited by cybercriminals to hide malicious payloads within video files. Dubbed "EvilVideo" by ESET Research, this exploit underscores the evolving tactics used by attackers to deliver malware through seemingly harmless media files. The flaw, which affects Telegram versions 10.14.4 and earlier, allows malicious actors to disguise harmful Android applications as multimedia content, potentially compromising user devices.
The 'EvilVideo' Exploit
- Discovery and Functionality: ESET Research uncovered the EvilVideo exploit on June 6, 2024, following an advertisement for the exploit on a Russian-language hacker forum. The vulnerability leverages Telegram's handling of media files to embed malicious payloads within video previews. By exploiting this flaw, attackers can share harmful apps through Telegram channels, groups, and direct messages, where these apps appear as 30-second video files.
- How It Works: The exploit relies on the Telegram API's ability to upload specifically crafted multimedia files. When users receive these files, Telegram automatically starts downloading them if the auto-download option is enabled. Once the file appears as a multimedia preview, users must click to play it. This action triggers a prompt suggesting the use of an external player, which then requests the installation of the disguised malicious app.
- Response and Fixes: ESET promptly reported the issue to Telegram, but initial responses were delayed. After a follow-up on July 5, Telegram released a server-side fix on July 11 for versions 10.14.5 and above. Users are advised to update their Telegram apps immediately to mitigate the risk of exploitation.
Attack Requirements and Mitigations
- User Interaction Needed: The exploit requires users to interact with the malicious video file. Although this adds a layer of complexity to the attack, the vulnerability still provided a significant window of opportunity for cybercriminals. The malicious payload does not alter its appearance to mimic multimedia content; instead, the vulnerability in the upload process is exploited.
- Testing and Platform Limitations: ESET's testing revealed that the exploit affected the Telegram Android app but did not work on the Telegram Web client or Telegram Desktop client for Windows.
- Additional Threats: In addition to the EvilVideo exploit, ESET identified other dubious services associated with the attackers, including an Android cryptor-as-a-service advertised as "fully undetectable." This indicates a broader ecosystem of malicious tools available through underground forums.
Conclusion
The EvilVideo exploit highlights the need for heightened vigilance in managing digital threats. Users should be cautious about downloading and interacting with files received from unknown sources or unsolicited messages. Updating software regularly and implementing robust security practices are crucial steps in protecting against such sophisticated attacks. As cybercriminals continue to innovate their tactics, staying informed about emerging vulnerabilities and enhancing security measures will be essential for safeguarding personal and organizational data.
About Foresiet!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Protect your brand, reputation, data, and systems with Foresiet's Integrated Digital Risk Platform. 24/7/365 threat monitoring for total peace of mind.
Sept. 5, 2024, 7:20 p.m.
Sept. 5, 2024, 7:10 p.m.