Zero-day exploit in Telegram for Android patched after five weeks of vulnerability
Researchers have identified a zero-day exploit in the Telegram messaging app for Android devices, which could have allowed attackers to send malicious payloads disguised as legitimate files. The vulnerability, named EvilVideo by Slovakian cybersecurity firm ESET, specifically targeted Telegram for Android. It enabled attackers to create specially crafted APK files that appeared as embedded videos when sent to other users.
ESET discovered that the exploit leveraged the Telegram API to programmatically generate messages that displayed as 30-second videos. The exploit first surfaced on June 6, 2024, when a threat actor known as Ancryno began selling it on the Russian-speaking XSS hacking forum. The flaw was present in Telegram versions 10.14.4 and older.
Telegram addressed the issue earlier this month by releasing a patch in versions 10.14.5 and above, following reports from researchers. Although the zero-day was available for about five weeks, ESET has not confirmed if it was actively used in the wild.
- Instant Messenger
- Freemium • Proprietary
Related news
External links
- Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for AndroidESET • Official source
- Telegram zero-day allowed sending malicious Android APKs as videosBleepingComputer
- Telegram zero-day for Android allowed malicious files to masquerade as videosThe Record
- Telegram Zero-Day for Android Let Attackers Hide Files in Fake VideosPCMAG
- Now-patched Telegram for Android vulnerability exposed users to malicious videosSiliconANGLE
- Telegram Zero-Day Enabled Malware DeliverySecurityWeek
Comments
In general Telegram isn't a great messanger app. It is a strong social media similar to facebook back in the days but not a place for safe communication. While this has nothing to do with Telegram poor privacy this is just a reminder that it is not "a secure app" whatever that means.