Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,200
- Points
- 113
In the Android version of the Telegram messenger, a vulnerability has been identified that allows you to send malicious APK payloads, disguising them as video content. The breach was named "EvilVideo".
On June 6, 2024, a cybercriminal named Ancryno posted an announcement on the XSS hacker forum about the sale of a zero-day exploit for Telegram.
Then it was claimed that the vulnerability is relevant for Telegram v10. 14 and older versions of the messenger. Researchers from the antivirus company ESET have discovered a demo exploit (PoC) in one of the open Telegram channels.
It was ESET that called the problem EvilVideo, while confirming that the PoC worked for v10. 14. 4 and older Telegram releases. On July 4, the messenger developers reacted by stating that the breach was closed with the release of 10.14.5 (released on July 11).
In fact, this means that the attackers had at least five days to use EvilVideo. Experts still find it difficult to say whether the vulnerability was used in real cyber attacks, but they came across the infinityhackscharan.ddns command server[.] net, where payloads were stored.
ESET believes that the root of the breach lies in the Telegram API, which allows you to create messages in the form of 30-second videos at the software level.
Telegram's default settings allow automatic downloading of media files. When you try to view a video that is disguised as a malware, the user will be prompted to download a third-party player, which will lead to downloading the APK.
ESET posted a video on YouTube that demonstrates the exploitation of the vulnerability:
On June 6, 2024, a cybercriminal named Ancryno posted an announcement on the XSS hacker forum about the sale of a zero-day exploit for Telegram.
Then it was claimed that the vulnerability is relevant for Telegram v10. 14 and older versions of the messenger. Researchers from the antivirus company ESET have discovered a demo exploit (PoC) in one of the open Telegram channels.
It was ESET that called the problem EvilVideo, while confirming that the PoC worked for v10. 14. 4 and older Telegram releases. On July 4, the messenger developers reacted by stating that the breach was closed with the release of 10.14.5 (released on July 11).
In fact, this means that the attackers had at least five days to use EvilVideo. Experts still find it difficult to say whether the vulnerability was used in real cyber attacks, but they came across the infinityhackscharan.ddns command server[.] net, where payloads were stored.
ESET believes that the root of the breach lies in the Telegram API, which allows you to create messages in the form of 30-second videos at the software level.
Telegram's default settings allow automatic downloading of media files. When you try to view a video that is disguised as a malware, the user will be prompted to download a third-party player, which will lead to downloading the APK.
ESET posted a video on YouTube that demonstrates the exploitation of the vulnerability:
