Summary:
ESET researchers discovered a critical zero-day vulnerability on June 26th, 2024 named EvilVideo in Telegram for Android versions up to 10.14.4 being sold on an underground cybercriminal forum. Attackers exploited this vulnerability to distribute malicious payloads disguised as video files within Telegram chats, channels, and groups. When a user attempted to play the seemingly harmless video, they were tricked into installing a malicious app disguised as an external media player. The vulnerability was particularly dangerous because Telegram for Android automatically downloads media by default, potentially compromising users who simply opened chats containing the malicious payload.

Security Officer Comments:
EvilVideo, a zero-day exploit advertised for sale on an underground forum, highlights the ever-present threat of cyberattacks targeting popular messaging platforms. The vulnerability seems to stem from a Telegram function that allows improper handling of specific file uploads. This enabled attackers to upload malicious APKs disguised as video files, bypassing the usual warnings for app attachments. While the exploit specifically targeted Telegram for Android, it was ineffective on other platforms due to their inherent attachment handling mechanisms. Following responsible disclosure practices, ESET researchers reported EvilVideo to Telegram and eventually prompted them to release a patch (version 10.14.5) that fixes the vulnerability on July 11th, 2024. This update ensures accurate file type identification within multimedia previews, preventing app attachments from masquerading as videos. This incident emphasizes the importance of keeping mobile apps updated, exercising caution with unsolicited media content, and potentially disabling automatic media downloads in messaging apps for an extra layer of protection.

Suggested Corrections:
IOCs for this campaign can be found here.

By implementing a VPN or security appliance as the first line of defense for internet-exposed appliances, organizations can establish a secure perimeter and effectively shield their internal network from direct exposure to potential threats. This approach adds an extra barrier for attackers to overcome, making it more difficult for them to exploit zero-day vulnerabilities and penetrate the network. Furthermore, coupling this with robust security measures such as regular patching, network segmentation, and intrusion detection systems can significantly bolster the organization's resilience against evolving cyber threats, including zero-day attacks.

Zero days can be tough to mitigate depending on what type of device or piece of software is susceptible. The time gap between the production, release, and deployment of a patch and vulnerability disclosure is the most critical aspect of zero vulnerabilities or anyone for that matter. An attacker can leverage a vulnerability from when it's known until systems are patched, which is why vulnerabilities must be responsibly disclosed to vendors. Unfortunately, until development teams release a patch or effective mitigation, there is not much companies can do to prevent attackers from leveraging unpatched systems, especially those exposed to the internet - aside from taking them offline entirely. A disconnect can significantly impact business functions which is why those who fill IT Leadership roles must communicate the possible implications, risks, and overall impact to business leaders so decisions can be made that favor all aspects of the business totality. Applying defense-in-depth strategies and zero-trust can significantly assist in preventing the exploitation of zero-days. Still, it may not contain a full-blown attack depending on the severity and type of exploit possible.

Link(s):
https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-sending-malicious-android-apks-as-videos/

https://www.welivesecurity.com/en/eset-research/cursed-tapes-exploiting-evilvideo-vulnerability-telegram-android/