Threat Research

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android

ESET-welivesecurity

Researchers uncovered a zero-day exploit called EvilVideo that targets Telegram for Android, enabling attackers to deliver malicious apps disguised as video files. Telegram patched the vulnerability in version 10.14.5 (July 11, 2024), and the attack flow relies on users inadvertently installing an external app after attempting to play a faux video. #EvilVideo #TelegramAndroid #SpyMax #Teating

Keypoints

  • The EvilVideo vulnerability allows malware to masquerade as multimedia content and trigger installation of a malicious APK on Android Gmail—actually Telegram’s Android client is the target.
  • The zero-day appeared for sale in underground forums on June 26, 2024, and was reported to Telegram by researchers on June 26, 2024, with a patch released on July 11, 2024.
  • Payloads shared via Telegram channels/groups can display as a 30-second video, exploiting default media auto-download and user actions to deploy malware.
  • The vulnerability affects Telegram for Android up to version 10.14.4; versions 10.14.5 and above are patched.
  • Tests show the exploit does not work on Telegram Web or Desktop; the attack relies on Android-specific handling of media previews and APK installations.
  • IoCs include network indicators (IP and domain), a sample APK payload (Teating.apk), and related filenames (Teating.mp4), plus a malware detection label Android/Spy.SpyMax.T.
  • A threat actor also advertised an Android cryptor-as-a-service on the same underground forum as part of the campaign ecosystem.

MITRE Techniques

  • [T1664] Exploitation for Initial Access – The EvilVideo vulnerability can be abused by Android malware to achieve initial device access. “The EvilVideo vulnerability can be abused by Android malware to achieve initial device access.”
  • [T1658] Exploitation for Client Execution – The EvilVideo vulnerability tricks the victim into installing a malicious app that impersonates a multimedia file. “The EvilVideo vulnerability tricks the victim into installing a malicious app that impersonates a multimedia file.”

Indicators of Compromise

  • [IP] C2 server – 183.83.172.232
  • [Domain] C2 domain – infinityhackscharan.ddns.net
  • [File name] Malicious payload file – Teating.apk
  • [File name] App disguised as video – Teating.mp4
  • [File hash] EvilVideo payload hashes – F159886DCF9021F41EAA, 2B0641A758C4F0C4033D

Read more: https://www.welivesecurity.com/en/eset-research/cursed-tapes-exploiting-evilvideo-vulnerability-telegram-android/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint