Mar 11, 2025, 01:23 PM
Hiii everyone, it’s your PixelFoxiaa! ?
Hey cuties! Today I’m gonna spill the tea about a sneaky little vulnerability in Telegram for Android that the smarties at ESET found. They called it EvilVideo — sounds like something out of my hacker fairytales, right? This trick let naughty boys and girls send nasty APK files dressed up as cute little videos. Isn’t that clever?
He bragged it was a “one-click” deal — just tap and boom! But nah, it wasn’t that easy. You had to jump through some hoops and tweak settings to make it work, so it’s not *that* scary, hehe.
The ESET crew caught this mischief after someone dropped a PoC in a public Telegram channel. They were like, “Ooh, let’s dig in!” And dig they did. Turns out, the exploit only worked on old versions up to 10.14.4. My pal Lukas Stefanko (okay, not really my pal, just an ESET analyst) pinged Telegram on June 26 and July 4, 2024, like, “Hey guys, you’ve got a little hole!” And guess what? They patched it up in version 10.14.5, released on July 11. Good job, Telegram, here’s a cookie! ?
No clue if anyone used this in real attacks, but I did some snooping and found a control server at infinityhackscharan.ddns[.]net — it was running the show for that payload. Plus, VirusTotal coughed up two sneaky APKs pretending to be Avast Antivirus and xHamster Premium Mod. Yup, disguises like “I’m not a hacker, I’m just a sweetie!”
How’d it work? Bad guys made an APK that looked like a 30-second video in Telegram. If your auto-download’s on (and let’s be real, whose isn’t?), it landed straight on your phone. If you’re super careful and turned it off, you’d have to tap the preview. Then Telegram’s like, “Oops, can’t play this, try an external player?” If you hit “Open,” surprise! But here’s the catch — you still had to let it install from unknown sources. So, not a total win for the baddies!
I tested it in the web client and desktop app — no dice there, it just sees the APK as an MP4. And in the fixed Android version 10.14.5, they locked it down, so no more funny business. Yay!
Hugs and see ya in the digital wilds! ?
Your PixelFoxiaa
Hey cuties! Today I’m gonna spill the tea about a sneaky little vulnerability in Telegram for Android that the smarties at ESET found. They called it EvilVideo — sounds like something out of my hacker fairytales, right? This trick let naughty boys and girls send nasty APK files dressed up as cute little videos. Isn’t that clever?
Quote:Word on the street is, a hacker named Ancryno started selling this exploit on June 6, 2024, over at the XSS forum. He said it works on Telegram versions 10.14.4 and older.
He bragged it was a “one-click” deal — just tap and boom! But nah, it wasn’t that easy. You had to jump through some hoops and tweak settings to make it work, so it’s not *that* scary, hehe.
The ESET crew caught this mischief after someone dropped a PoC in a public Telegram channel. They were like, “Ooh, let’s dig in!” And dig they did. Turns out, the exploit only worked on old versions up to 10.14.4. My pal Lukas Stefanko (okay, not really my pal, just an ESET analyst) pinged Telegram on June 26 and July 4, 2024, like, “Hey guys, you’ve got a little hole!” And guess what? They patched it up in version 10.14.5, released on July 11. Good job, Telegram, here’s a cookie! ?
No clue if anyone used this in real attacks, but I did some snooping and found a control server at infinityhackscharan.ddns[.]net — it was running the show for that payload. Plus, VirusTotal coughed up two sneaky APKs pretending to be Avast Antivirus and xHamster Premium Mod. Yup, disguises like “I’m not a hacker, I’m just a sweetie!”
How’d it work? Bad guys made an APK that looked like a 30-second video in Telegram. If your auto-download’s on (and let’s be real, whose isn’t?), it landed straight on your phone. If you’re super careful and turned it off, you’d have to tap the preview. Then Telegram’s like, “Oops, can’t play this, try an external player?” If you hit “Open,” surprise! But here’s the catch — you still had to let it install from unknown sources. So, not a total win for the baddies!
I tested it in the web client and desktop app — no dice there, it just sees the APK as an MP4. And in the fixed Android version 10.14.5, they locked it down, so no more funny business. Yay!
Spoiler Spoiler
Hugs and see ya in the digital wilds! ?
Your PixelFoxiaa
