EvilVideo Exploit: Telegram Zero-Day Vulnerability Allows Disguised APK Attacks

A recent zero-day vulnerability in Telegram for Android, dubbed ‘EvilVideo,’ has been exploited by attackers to send malicious Android APK payloads disguised as video files. This significant security flaw was first brought to light when a threat actor named ‘Ancryno’ started selling the exploit on June 6, 2024, on the Russian-speaking XSS hacking forum. 

The vulnerability affected Telegram versions 10.14.4 and older.

ESET researchers discovered the flaw after a proof-of-concept demonstration was shared on a public Telegram channel, allowing them to analyze the malicious payload. They confirmed that the exploit worked on Telegram v10.14.4 and older, naming it ‘EvilVideo.’ The vulnerability was responsibly disclosed to Telegram by ESET researcher Lukas Stefanko on June 26 and again on July 4, 2024.

Telegram responded on July 4, indicating that they were investigating the report. 

Subsequently, they patched the vulnerability in version 10.14.5, released on July 11, 2024. This timeline suggests that threat actors had at least five weeks to exploit the zero-day vulnerability before it was patched.

While it remains unclear if the flaw was actively exploited in attacks, ESET shared a command and control server (C2) used by the payloads at ‘infinityhackscharan.ddns[.]net.’ BleepingComputer identified two malicious APK files using that C2 on VirusTotal that masqueraded as Avast Antivirus and an ‘xHamster Premium Mod.’ 

The Evi

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.