A dangerous zero-day could have left Telegram users open to attack via video

Hackers found a way to have .APK files show as video clips in Telegram

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from ESET have warned of a recently-discovered vulnerability targeting Telegram users.

The vulnerability allowed threat actors to deploymalwareon the vulnerable devices, and had apparently been actively exploited for weeks.

A threat actor called Ancryno took to a Russian-speaking underground forum in early June 2024, to sell a zero-day exploit for Telegram versions 10.14.4 and older. This drew the attention of ESET’s experts, and when a proof-of-concept (PoC) was published, they picked up the malicious payload, analyzed it, and confirmed that it works.

Fake prompts

The vulnerability allowed threat actors to create malicious .APK files (Android installation packages) which, to the recipient, look like a video message. Since Telegram automatically downloads all multimedia, all the victim needs to do is open up the chat window to receive the payload.

Users who disabled the automatic download of multimedia files need to tap on the received message once to trigger the download.

This leaves the problem of actually running the file, since the APK still needs to be installed. The hackers partially solved it by displaying a fake prompt that the video needs to be played in an external player. Accepting this prompt triggers another one which says that Telegram is barred from installing APK files. If the victim ignores all of these red flags, they will end up with the installed malware.

Further analyzing the threat actor’s infrastructure, ESET found two malicious payloads hosted online, one that pretends to be Avast Antivirus, and a fake “premium mod” for xHamster (a website with adult content).

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The researchers reported their findings to Telegram’s developers, which came back with a patch on July 11. In its writeup, BleepingComputer points that the flaw was running wild for at least five weeks, giving crooks plenty of time to target Telegram users.

The earliest patched version is v10.14.5. Telegram’s desktop app was never vulnerable.

A Telegram spokesperson has tol TechRadar Pro,“This exploit is not a vulnerability in Telegram. It would have required users to open the video, adjust Android safety settings and then manually install a suspicious-looking “media app”.We received a report about this exploit on July 5th and a server-side fix was deployed on July 9th to protect users on all versions of Telegram.”

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Washington state court systems taken offline following cyberattack

Is it still worth using Proton VPN Free?

Filming with an iPhone? A smart, AI-powered gimbal from Hohem can help