An alleged critical vulnerability has been found in Telegram, a popular messaging app, which could potentially endanger millions of Android users.
This vulnerability allows cybercriminals to gain unauthorized access to devices by deceiving users into playing a harmful video using a player from an untrusted source.
The process starts when the victim receives a video message via Telegram. When you try to play the video, an error message pops up, tricking you into thinking you need to use a different player.
After the victim gives their consent and opens the video using the suggested third-party player, their device is infected with a harmful payload.
This payload may claim to be a legitimate external player, but it actually installs itself through the device's package installer and then asks for a wide range of permissions.
A video demonstration uploaded on Twitter by the user @TodayCyberNews provides a clear and concise showcase of the exploit's functionality.
The attacker sends a video to the target device. When the recipient clicks on it, a fake message appears, falsely claiming that Telegram is unable to play the video. It then guides the victim to install malware by suggesting an external player.
More clear demonstration:
This harmful app asks for complete control over your device, including permission to view phone call logs, text messages, screen recording, audio, camera, and other features. After the user grants these permissions, the attacker will have full control over the device's critical functions.
The video provides a clear demonstration of the attacker's backend terminal, explaining each step of the exploit in a straightforward manner. The exploit's success relies on user interaction, using clickbait videos to trick victims into installing the harmful payload.
Unfortunately, the demonstration video's clarity is affected by Twitter's video compression, which has caused some doubts about the authenticity of the exploit.
Although the demonstration is quite convincing, there is a chance that the video might be a fabricated proof-of-concept (POC). It is still unclear whether the exploit is legitimate, and Telegram has not yet responded to these claims.
In addition, just last April, Telegram dismissed a different vulnerability in their desktop program as a hoax.
We advise users to refrain from opening unfamiliar videos sent by anonymous individuals on Telegram.