The new EvilLoader exploit for Telegram uses disguised video files to trick users into downloading malware or revealing their IP addresses.
The new EvilLoader exploit for Telegram uses disguised video files to trick users into downloading malware or revealing their IP addresses.
This new malware is based on the previous EvilVideo. This exploit allows attackers to disguise malicious APK files as video files, potentially leading to the installation of malware on users' devices.
It remains unpatched in the latest version of Telegram for Android (11.7.4) and is actively being sold on underground forums, according to Android Police.
The exploit was first spotted by cybersecurity researcher 0×6rss. It works by tricking users into opening what appears to be a harmless video file, which actually contains embedded malicious code disguised as a .htm extension.
The .htm extension often triggers when playing a video, causing an error message saying «the application could not play this video,» prompting the user to «try playing it in an external browser.» Once the browser is opened, the malware can display a normal-looking Play Store listing to trick the user into downloading malware and revealing the IP address.
As a Telegram representative told ITC.UA, the aforementioned exploit is not considered a vulnerability in the Telegram messenger. For it to cause harm, users must open the video, make changes to the standard Android security settings, and then manually install the suspicious «media app.» He noted that the messenger team has deployed a server-side fix to protect users across all versions of Telegram.
Let us remind you that earlier an unpleasant story happened to Senior Technical Product Manager Andriy Osipenko, which could have damaged his reputation — scammers made a complete copy of his Telegram account and even duplicated his Telegram channel.
