A zero-day EvilVideo vulnerability was discovered in Telegram on Android, which allowed attackers to send malicious APKs disguised as video files. This was reported by Bleeping Computer.
On June 6, a post appeared on the Russian-language XSS forum by the user Ancryno, in which he offered to sell a zero-day vulnerability that works in Telegram version v10.14.4 and older.
On July 4, Telegram responded that they were looking into the issue. It was resolved in version 10.14.5, which was released on July 11. Thus, the attackers had about 5 weeks to exploit the new vulnerability of the messenger, and it is still possible if users have not updated the program.
This vulnerability allowed attackers to create APK files disguised as videos, which were later sent to users in the messenger. International anti-virus software developer ESET believes that the attackers used the Telegram API to create messages that looked like 30-second videos.
Given that the Android app automatically downloads all files by default, it was much easier to exploit this vulnerability. The malicious APK download started as soon as users opened the notification. For those who had autodownload turned off, it was enough to click on the video once and the APK started downloading as well.
When users tried to play the video, Telegram offered to use the internal player, which prompted users to "Open" it, which also started downloading malware.
However, in order for the malware to be installed on users' smartphones, they also needed to enable the installation of unknown programs in the device settings. The attackers claimed that this vulnerability was executed in one click, but more steps were required to successfully infect the smartphone.
A representative of Telegram said that this was not a vulnerability of the messenger, as the user was required to open the video and change the Android security settings, and only then could the suspicious APK be installed.