ESET researchers recently discovered a critical zero-day vulnerability in the Telegram messaging app for Android, potentially exposing millions of users to malicious attacks.
The exploit, dubbed “EvilVideo,” allowed attackers to disguise harmful Android payloads as innocuous video files that could be distributed through Telegram channels, groups, and private chats.
The vulnerability was first identified when ESET researchers found an advertisement for the exploit on an underground forum on June 6, 2024. Using the alias “Ancryno,” the seller offered the zero-day for an undisclosed price, claiming it worked on Telegram versions 10.14.4 and older.
This information enabled ESET researchers to track down the channel, obtain the payload, and perform a detailed analysis.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
ESET’s investigation revealed that the exploit affects Telegram versions 10.14.4 and older. The payload, likely crafted using the Telegram API, masquerades as a 30-second video.
How is the Telegram Zero-Day Vulnerability Exploited?
If a user attempts to play the “video,” Telegram displays an error message suggesting the use of an external player. Tapping the Open button in this message prompts the installation of a malicious app disguised as an external player.
Telegram then requests the user to enable the installation of unknown apps, leading to the installation of the malicious app. The malicious app is downloaded as an apparent video file but with a .apk extension, exploiting the vulnerability to appear as a multimedia file.
When shared in a chat, the malicious payload appears as a multimedia file, leveraging Telegram’s default setting to automatically download media files. Users with this setting enabled would automatically download the malicious payload upon opening the conversation.
ESET researchers promptly reported the vulnerability to Telegram on June 26, 2024, and again on July 4. Telegram acknowledged the issue and released a patch in version 10.14.5 on July 11, 2024, effectively closing the security gap.
While it remains unclear if the exploit was used in real-world attacks, the potential for widespread damage was significant given Telegram’s popularity, with over a billion downloads of its Android app.
The threat actor behind EvilVideo also offers an Android cryptor-as-a-service, claiming it is fully undetectable (FUD). This service has been advertised on the same underground forum since January 11, 2024.
Telegram users are strongly advised to update their app to the latest version and exercise caution when interacting with media files from unknown sources. This event serves as a reminder of the persistent risks in the digital landscape and the critical role of cybersecurity research in protecting users from emerging threats.
IoCs
A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
| F159886DCF9021F41EAA 2B0641A758C4F0C4033D |
Teating.apk | Android/Spy.SpyMax.T | EvilVideo payload. |
Network
| IP | Domain | Hosting provider | First seen | Details |
| 183.83.172[.]232 | infinityhackscharan. ddns[.]net |
Administrator Beam Cable System | 2024‑07‑16 | C&C server of EvilVideo payload. |
MITRE ATT&CK techniques
This table was built using version 15 of the MITRE ATT&CK mobile techniques.
| Tactic | ID | Name | Description |
| Initial Access | T1664 | Exploitation for Initial Access | The EvilVideo vulnerability can be abused by Android malware to achieve initial device access. |
| Execution | T1658 | Exploitation for Client Execution | The EvilVideo vulnerability tricks the victim into installing a malicious app that impersonates a multimedia file. |
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.