We stumbled upon an underground forum post advertising a zero-day exploit targeting Telegram for Android. The seller showcased screenshots and a video demonstrating the exploit in action. By identifying the channel where the exploit was available, we managed to obtain the payload for further analysis.
Analysis
Our investigation revealed that the exploit was effective on Telegram versions 10.14.4 and older. It appears that the payload was likely crafted using the Telegram API, allowing developers to upload customized multimedia files programmatically. The exploit tricks users into downloading a malicious app disguised as a video file, which prompts them to install the app upon attempting to play the “video.”
Threat Actor
While details about the threat actor remain scarce, we uncovered additional shady services they offer based on their Telegram handle shared in the forum post. In addition to the exploit, they have been advertising an Android cryptor-as-a-service since January 11th, 2024, claiming it to be fully undetectable (FUD).
Vulnerability Report
After discovering the EvilVideo vulnerability, we promptly reported it to Telegram on June 26th, 2024. Following a second report on July 4th, Telegram acknowledged the issue and released a patch with version 10.14.5 on July 11th, 2024. The vulnerability affected Telegram for Android versions up to 10.14.4 but has since been resolved.
In conclusion, we uncovered a zero-day exploit targeting Telegram for Android, allowing malicious payloads to be disguised as multimedia files. Fortunately, Telegram swiftly addressed the vulnerability after our report. Users are now protected from falling victim to this exploit.