Cyber Security News

EvilLoader – Unpatched Telegram for Android 0-Day Vulnerability Lets Attackers Install Malware Via Video Files

A new zero-day vulnerability in Telegram for Android, dubbed EvilLoader, has been uncovered by malware analyst 0x6rss.

This exploit enables threat actors to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices.

The vulnerability, which remains unpatched in the latest Telegram for Android version 11.7.4, allows attackers to manipulate Telegram’s handling of video files.

By crafting an HTML file with an MP4 extension, attackers can trick Telegram into misidentifying it as a legitimate video file.

When a user attempts to play this specially crafted “video,” Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software.

Exploit Available on Underground Forums

Alarmingly, the payload for EvilLoader has been available for sale on underground forums since January 15, 2025.

This accessibility to cybercriminals worldwide significantly increases the risk of widespread abuse.

The exploit’s availability on these marketplaces enables threat actors to easily obtain and deploy it against unsuspecting Telegram users.

EvilLoaderEvilLoader
Post from underground forum offering the exploit

Similarities to Previous Vulnerabilities

EvilLoader bears a striking resemblance to a previous vulnerability called EvilVideo, disclosed in July 2024 and tracked as CVE-2024-7014.

Both exploits operate similarly, allowing attackers to manipulate video files to deliver malicious APKs.

The recurrence of such vulnerabilities highlights the ongoing security challenges faced by messaging platforms.

While Telegram has been notified of the vulnerability, users are advised to take precautionary measures.

These include staying alert for security updates, disabling auto-download of media files in Telegram settings, avoiding untrusted media files, and using reputable mobile security software capable of detecting malicious APKs.

The discovery of EvilLoader underscores the critical need for robust security measures in messaging applications, especially those handling media files.

As the vulnerability remains unpatched and actively exploited, Telegram users must exercise extreme caution when handling media files to protect their devices from potential compromise.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known technique:…

2 hours ago

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows Remote…

2 hours ago

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed critical…

3 hours ago

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing malicious…

3 hours ago

Kaspersky Alerts on AI-Driven Slopsquatting as Emerging Supply Chain Threat

Cybersecurity researchers at Kaspersky have identified a new supply chain vulnerability emerging from the widespread…

3 hours ago

UK Government to Shift Away from Passwords in New Security Move

UK government has unveiled plans to implement passkey technology across its digital services later this…

3 hours ago