Exploiting the Invisible: How a Telegram Zero-Day Vulnerability Delivered Malware Disguised as Videos
Introduction
Cybersecurity firm ESET has discovered that threat actors exploited a vulnerability in Telegram for Android to distribute malicious files disguised as videos. This zero-day exploit, named "EvilVideo," allowed attackers to abuse Telegram's API to deliver malware through crafted multimedia files shared in channels, groups, and chats.
Discovery and Analysis
ESET researcher Lukáš Štefanko discovered the exploit while monitoring an underground forum where it was advertised for sale. The seller provided screenshots and a video demonstrating the exploit in a public Telegram channel, enabling ESET to identify the channel, retrieve the payload, and analyze it.
ESET's analysis revealed that EvilVideo works on Telegram versions 10.14.4 and older. The exploit leverages the Telegram API, allowing developers to upload specially crafted multimedia files to Telegram chats or channels programmatically. This manipulation made the malicious payload appear as a 30-second video instead of a binary attachment.
Mechanism of the Exploit
By default, Telegram downloads media files automatically. This means users with this setting enabled would unknowingly download the malicious payload upon opening the conversation where it was shared. Even if the automatic download option is disabled, users can manually download the payload by tapping the download button.
When users attempt to play the "video," Telegram displays a message indicating it is unable to play the file and suggests using an external player. If users follow this suggestion, they are prompted to install a malicious app disguised as a video player. Telegram also requests users to enable the installation of unknown applications, further compromising security.
Technical Details
The EvilVideo exploit relies on creating a payload that displays an Android app as a multimedia preview. The malicious app itself was not altered to appear as a multimedia file; the vulnerability's nature caused the shared file to look like a video. This exploit was specifically crafted for Telegram for Android and did not affect other clients of the communication platform.
ESET reported the EvilVideo vulnerability to Telegram on June 26, 2024, but initially received no response. After a second report on July 4, Telegram confirmed they were investigating the issue and released a fix on July 11, updating the application to version 10.14.5. The patch ensured the chat multimedia preview correctly displayed the payload as an application rather than a video.
Response and Impact
On the same underground forum where the exploit was advertised, the threat actor also promoted an allegedly fully undetectable Android cryptor-as-a-service since January 2024. The discovery of EvilVideo underscores the importance of timely updates and vigilance against potential malware.
Telegram's Statement
Telegram provided the following statement:
“This exploit is not a vulnerability in Telegram. It would have required users to open the video, adjust Android safety settings, and then manually install a suspicious-looking ‘media app’. We received a report about this exploit on July 5th and a server-side fix was deployed on July 9th to protect users on all versions of Telegram.”
Conclusion
The EvilVideo exploit highlights the ongoing challenges in maintaining secure communication platforms. Users are encouraged to regularly update their applications and be cautious of suspicious multimedia files, even on trusted platforms like Telegram. Cybersecurity firms and communication platforms must continue to collaborate to identify and mitigate such threats swiftly.
Recommendations for Users
- Update Telegram: Ensure your Telegram app is updated to version 10.14.5 or later.
- Disable Automatic Downloads: Manually disable the automatic download of media files in Telegram settings.
- Be Cautious of External Players: Avoid opening media files in external players and be wary of prompts to install additional applications.
- Enable Security Settings: Use Android's security settings to restrict the installation of apps from unknown sources.
Staying informed and vigilant is crucial to protect against emerging threats in the digital landscape.
Source : Science of Security
No comments:
Post a Comment