Malawi CERT warns of a zero-day security flaw in Telegram’s mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos.
Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files,” a security researcher said in a report. It’s believed that the payload is concocted using Telegram’s application programming interface (API), which allows for programmatic uploads of multimedia files to chats and channels. In doing so, it enables an attacker to camouflage a malicious APK file as a 30-second video.
Research says by default, media files received via Telegram are set to download automatically. “This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared. While this option can be disabled manually, the payload can still be downloaded by tapping the download button accompanying the supposed video. It’s worth noting that the attack does not work on Telegram clients for the web or the dedicated Windows app.
Malawi CERT advises telegram users to avoid downloading any suspicious videos and to understand App store security features when installing new applications.