A new zero-day vulnerability in Telegram for Android, dubbed EvilLoader, has been uncovered by malware analyst 0x6rss.
This exploit enables threat actors to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices.
The vulnerability, which remains unpatched in the latest Telegram for Android version 11.7.4, allows attackers to manipulate Telegram’s handling of video files.
By crafting an HTML file with an MP4 extension, attackers can trick Telegram into misidentifying it as a legitimate video file.
When a user attempts to play this specially crafted “video,” Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software.
Exploit Available on Underground Forums
Alarmingly, the payload for EvilLoader has been available for sale on underground forums since January 15, 2025.
This accessibility to cybercriminals worldwide significantly increases the risk of widespread abuse.
The exploit’s availability on these marketplaces enables threat actors to easily obtain and deploy it against unsuspecting Telegram users.
Similarities to Previous Vulnerabilities
EvilLoader bears a striking resemblance to a previous vulnerability called EvilVideo, disclosed in July 2024 and tracked as CVE-2024-7014.
Both exploits operate similarly, allowing attackers to manipulate video files to deliver malicious APKs.
The recurrence of such vulnerabilities highlights the ongoing security challenges faced by messaging platforms.
While Telegram has been notified of the vulnerability, users are advised to take precautionary measures.
These include staying alert for security updates, disabling auto-download of media files in Telegram settings, avoiding untrusted media files, and using reputable mobile security software capable of detecting malicious APKs.
The discovery of EvilLoader underscores the critical need for robust security measures in messaging applications, especially those handling media files.
As the vulnerability remains unpatched and actively exploited, Telegram users must exercise extreme caution when handling media files to protect their devices from potential compromise.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup ->Â Try for free
