company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

ZeroDay

Telegram

loading..
loading..
loading..

EvilVideo: The Zero-Day Vulnerability in Telegram for Android

Discover the EvilVideo zeroday flaw in Telegram for Android, its exploitation, and mitigation. Stay safe with detailed technical insights and recommendations.

22-Jul-2024
4 min read

On June 6, 2024, a threat actor named 'Ancryno' began selling a Telegram zero-day exploit on the Russian-speaking XSS hacking forum. Dubbed 'EvilVideo,' this vulnerability allowed attackers to send malicious Android APK payloads disguised as video files. This Threatfeed delves into the underlying nuances revolving around the intricacies of the EvilVideo exploit, its discovery, impact, and subsequent mitigation.


Discovery and Disclosure

Security researchers discovered the flaw after a Proof of Concept (PoC) demonstration was shared on a public Telegram channel. The exploit, targeting Telegram versions v10.14.4 and older, was confirmed to work by ESET. Researcher Lukas Stefanko responsibly disclosed the flaw to Telegram on June 26, 2024, and again on July 4, 2024.

Telegram responded promptly, stating they were investigating the report. On July 11, 2024, they released version 10.14.5, which patched the vulnerability. This patch ended a five-week period during which threat actors could have exploited the zero-day.

figure-2-post-on-an-underground-forum(1).png

Snapshot of an Unground Forum's Post ESET

Exploit Mechanism

The EvilVideo exploit was crafted to work solely on Telegram for Android. It allowed attackers to create specially crafted APK files that appeared as embedded videos when sent to other users on Telegram.

Exploit Details
  1. Payload Creation: The exploit uses the Telegram API to programmatically create a message that appears to show a 30-second video.
  2. Media Auto-Download: On its default setting, the Telegram app automatically downloads media files. Users who have this setting enabled would receive the payload once they opened the conversation.
  3. Manual Download: For users who have disabled auto-download, a single tap on the video preview would initiate the file download.
  4. Execution: When users attempt to play the fake video, Telegram suggests using an external player, prompting the recipient to tap "Open" and execute the payload.
  5. Installation: The victim must enable the installation of unknown apps from the device settings, allowing the malicious APK file to install on the device.

Impact Analysis

The EvilVideo exploit was significant but required multiple steps to execute, reducing the likelihood of a successful attack. Despite the threat actor's claim that the exploit was "one-click," the necessity for multiple user actions added friction to the process.

C2 Server and Malicious APKs

ESET identified a command and control server (C2) at 'infinityhackscharan.ddns[.]net' used by the payloads. Two malicious APK files using this C2 were found on VirusTotal, masquerading as Avast Antivirus and an 'xHamster Premium Mod.'


Technical Analysis

ESET's analysis revealed that the exploit was most likely crafted using the Telegram API. This allowed developers to upload specifically crafted multimedia files to Telegram chats or channels programmatically. The malicious payload appeared as a 30-second video due to this API manipulation.

import telegram
Replace with your own token and chat ID
bot = telegram.Bot(token='YOUR_BOT_TOKEN')
chat_id = 'YOUR_CHAT_ID'
Craft the malicious payload

payload = open('malicious_payload.apk', 'rb') bot.send_video(chat_id=chat_id, video=payload, supports_streaming=True, caption="Check out this cool video!")

This Python snippet demonstrates how the Telegram API can be used to send a video, which in this case, would be the malicious payload.


Mitigation and Recommendations

Telegram's fix in version 10.14.5 now displays the APK file correctly in the preview, preventing deception by appearing as video files. Users are advised to perform a filesystem scan using a mobile security suite if they received suspicious video files that requested an external app to play via Telegram.

File Locations
  • Internal Storage: /storage/emulated/0/Telegram/Telegram Video/
  • External Storage: /storage/<SD Card ID>/Telegram/Telegram Video/

Indicators of Compromise (IoCs)

Files

SHA-1FilenameDetectionDescription
F159886DCF9021F41EAA2B0641A758C4F0C4033DTeating.apkAndroid/Spy.SpyMax.TEvilVideo payload

Network

IPDomainHosting ProviderFirst SeenDetails
183.83.172[.]232infinityhackscharan.ddns[.]netAdministrator Beam Cable System2024-07-16C&C server of EvilVideo

MITRE ATT&CK Techniques

TacticIDNameDescription
Initial AccessT1664Exploitation for Initial AccessThe EvilVideo vulnerability can be abused by Android malware to achieve initial device access.
ExecutionT1658Exploitation for Client ExecutionThe EvilVideo vulnerability tricks the victim into installing a malicious app that impersonates a multimedia file.