Discover the EvilVideo zeroday flaw in Telegram for Android, its exploitation, and mitigation. Stay safe with detailed technical insights and recommendations.
On June 6, 2024, a threat actor named 'Ancryno' began selling a Telegram zero-day exploit on the Russian-speaking XSS hacking forum. Dubbed 'EvilVideo,' this vulnerability allowed attackers to send malicious Android APK payloads disguised as video files. This Threatfeed delves into the underlying nuances revolving around the intricacies of the EvilVideo exploit, its discovery, impact, and subsequent mitigation.
Security researchers discovered the flaw after a Proof of Concept (PoC) demonstration was shared on a public Telegram channel. The exploit, targeting Telegram versions v10.14.4 and older, was confirmed to work by ESET. Researcher Lukas Stefanko responsibly disclosed the flaw to Telegram on June 26, 2024, and again on July 4, 2024.
Telegram responded promptly, stating they were investigating the report. On July 11, 2024, they released version 10.14.5, which patched the vulnerability. This patch ended a five-week period during which threat actors could have exploited the zero-day.
The EvilVideo exploit was crafted to work solely on Telegram for Android. It allowed attackers to create specially crafted APK files that appeared as embedded videos when sent to other users on Telegram.
The EvilVideo exploit was significant but required multiple steps to execute, reducing the likelihood of a successful attack. Despite the threat actor's claim that the exploit was "one-click," the necessity for multiple user actions added friction to the process.
ESET identified a command and control server (C2) at 'infinityhackscharan.ddns[.]net' used by the payloads. Two malicious APK files using this C2 were found on VirusTotal, masquerading as Avast Antivirus and an 'xHamster Premium Mod.'
ESET's analysis revealed that the exploit was most likely crafted using the Telegram API. This allowed developers to upload specifically crafted multimedia files to Telegram chats or channels programmatically. The malicious payload appeared as a 30-second video due to this API manipulation.
import telegram
Replace with your own token and chat ID
bot = telegram.Bot(token='YOUR_BOT_TOKEN')
chat_id = 'YOUR_CHAT_ID'
Craft the malicious payload
payload = open('malicious_payload.apk', 'rb')
bot.send_video(chat_id=chat_id, video=payload, supports_streaming=True, caption="Check out this cool video!")
This Python snippet demonstrates how the Telegram API can be used to send a video, which in this case, would be the malicious payload.
Telegram's fix in version 10.14.5 now displays the APK file correctly in the preview, preventing deception by appearing as video files. Users are advised to perform a filesystem scan using a mobile security suite if they received suspicious video files that requested an external app to play via Telegram.
/storage/emulated/0/Telegram/Telegram Video/
/storage/<SD Card ID>/Telegram/Telegram Video/
Files
SHA-1 | Filename | Detection | Description |
---|---|---|---|
F159886DCF9021F41EAA2B0641A758C4F0C4033D | Teating.apk | Android/Spy.SpyMax.T | EvilVideo payload |
Network
IP | Domain | Hosting Provider | First Seen | Details |
---|---|---|---|---|
183.83.172[.]232 | infinityhackscharan.ddns[.]net | Administrator Beam Cable System | 2024-07-16 | C&C server of EvilVideo |
Tactic | ID | Name | Description |
---|---|---|---|
Initial Access | T1664 | Exploitation for Initial Access | The EvilVideo vulnerability can be abused by Android malware to achieve initial device access. |
Execution | T1658 | Exploitation for Client Execution | The EvilVideo vulnerability tricks the victim into installing a malicious app that impersonates a multimedia file. |