A newly discovered zero-day vulnerability in Telegram for Android, known as ‘EvilVideo,’ allowed attackers to send malicious APK payloads disguised as video files.

The exploit was first publicized by a threat actor named ‘Ancryno’ on June 6, 2024, in a post on the Russian-speaking XSS hacking forum. Ancryno claimed that the vulnerability affected Telegram versions 10.14.4 and earlier.

ESET researchers uncovered the flaw after a proof-of-concept (PoC) demonstration was shared in a public Telegram channel, which provided them with the malicious payload. They verified that the exploit was effective in Telegram v10.14.4 and older versions and named it ‘EvilVideo.’ ESET researcher Lukas Stefanko responsibly disclosed the flaw to Telegram on June 26 and again on July 4, 2024.

Telegram responded on July 4, indicating they were investigating the report and subsequently patched the vulnerability in version 10.14.5, released on July 11, 2024.

This sequence of events suggests that attackers had at least five weeks to exploit the zero-day vulnerability before it was patched.

While it is still uncertain if the flaw was actively exploited in real-world attacks, ESET provided details of a command and control server (C2) used by the payloads, located at ‘infinityhackscharan.ddns[.]net.’

READ
Ransomware Payments Drop 35% in 2024 Despite Record Attacks