Telegram zero-day for Android allowed malicious files to masquerade as videos

Researchers have discovered a zero-day exploit for the Telegram messaging app on Android devices that could have allowed attackers to send malicious payloads disguised as legitimate files.

The exploit was built to abuse a vulnerability that Slovakia-based firm ESET dubbed EvilVideo. Telegram fixed the bug earlier this month in versions 10.14.5 and above after researchers reported it.

Threat actors had about five weeks to exploit the zero-day before it was patched, but it’s not clear if it was used in the wild, ESET said.

ESET discovered the exploit on an underground forum in early June. It was sold for an unspecified price by a user with the username “Ancryno.” In its post, the seller showed screenshots and a video of testing the exploit in a public Telegram channel.

In unpatched versions of Telegram for Android, attackers could use the exploit to send malicious payloads via Telegram channels, groups and chats, making them appear as multimedia files.

The exploit takes advantage of Telegram’s default setting to automatically download media files. The option can be disabled manually, but in that case, the payload could still be installed on the device if a user tapped the download button in the top left corner of the shared file. 

If the user tried to play the “video,” Telegram displayed a message that it was unable to play it and suggested using an external player. The hackers disguised a malicious app as this external player.

In the patched version of Telegram, the malicious file in the chat is now correctly displayed to the user as an application rather than a video.

It is not clear which hacker group or threat actor was interested in this exploit, how they planned to use it and how effective it is.

The underground forum account spotted by ESET also has advertised Android cryptomining-as-a-service malware that they claim is fully undetectable, the researchers said.