Attackers on Telegram are disguising malicious scripts as videos and tricking users into running them. Accidental clicking will leak some user data and may lead to forced malicious app installations. Telegram deployed a server-side fix.
A security researcher who goes by the moniker 0x6rss has detailed a vulnerability called EvilLoader that affects the Telegram Android app. It’s similar to the bug from last year when attackers directly sent users APK files disguised as adult videos.
While Telegram fixed the previous flaw, the researcher found that its API still allows attackers to disguise malicious files as videos.
Attackers can disguise a .htm file as a video and send it to unsuspecting users. This extension is used for webpage files saved with the Hypertext Markup Language (HTML). However, web pages may also include and run JavaScript (JS) code.
If a Telegram user tries to play the disguised file, the JavaScript code inside the HTML will execute. This allows attackers to download and run additional malicious payloads.
0x6rss described a theoretical scenario in which a fake video fails to open with a video player and then it redirects the user to the default browser, which allows the malicious JS code to run.
This already leads to the user’s IP address, but the attack is not complete. The file can then mimic any legitimate website or redirect to other malicious websites. In the provided example, the researcher spoofed the Google Play store, offering the user to install a fake Google Play Protect app.
Users would get some red flags in the form of pop-ups: they would need to enable third-party app installation and give the app permissions to have full control of their device. Google protects Android users with Play Protect and warns users or blocks known malicious apps that come from outside of the Play Store.
“The main reason for the vulnerability is that the ‘.htm’ file format in the response to Telegram servers is perceived as a video,” the researcher said in a blog post.
“The content is opened, allowing the specified HTML page to be triggered and opened.”
A security researcher known as 0x6rss published details on EvilLoader, a vulnerability in the Telegram Android app that can be used to force-install apps on a user's device. Telegram on top of security as usual cti.monster/blog/2025/03...
undefined Catalin Cimpanu (@campuscodi.risky.biz) March 6, 2025 at 12:18 PM
[image or embed]
Essentially, the flaw lies in how the Telegram Android app interprets and processes files received via API. The app tries to handle the .htm file like a video and allows JS code to run.
Proof of concept for the flaw is already publicly available.
“This exploit is not a vulnerability in Telegram. It would have required users to open the video, adjust Android safety settings and then manually install a suspicious-looking "media app". We have deployed a server-side fix to protect users on all versions of Telegram,” a spokesperson for Telegram told Cybernews.
Updated on March 7th [08:40 a.m. GMT] with a statement from Telegram.
Your email address will not be published. Required fields are markedmarked