CVE CyberSecurity Database News

CVE-2024-7014 - EvilVideo Attack on Telegram for Android – How Hackers Can Send Malicious Apps as Videos

Poster -

On June 17th, 2024, a new vulnerability shook the messaging world: CVE-2024-7014, also known as the EvilVideo vulnerability. This flaw lets attackers disguise malicious Android applications (APKs) as innocent-looking video files, then send them directly through Telegram chats. If a victim taps the video, they might unknowingly install malware on their Android device. This vulnerability affects Telegram for Android versions 10.14.4 and older – with millions of users at risk.

In this long post, we’ll walk you through what CVE-2024-7014 is, how the exploit works (including code samples), and how you can protect yourself. All our insights are original and easy to understand. We’ll also link you to relevant primary sources.

What Is EvilVideo (CVE-2024-7014)?

A researcher codenamed "dubiousdev" found a logic flaw in Telegram’s Android app file handler. Normally, when you receive or download a video on Telegram, it shows up as a media file in the chat and only plays when tapped, never running any code. But bad actors realized that due to a weak content validation system, you could rename a malicious APK app to look like an innocent video (.mp4) file. Telegram’s client would still show it as a playable video.

When you tap this "video" in chat, Telegram prompts you to open or install it. Unsuspecting users may click OK, causing Android to launch the app installer and potentially install malware.

Why Does This Work? (Technical Breakdown)

Telegram uses a type-checking method based on file extensions and MIME types. However, Android lets apps send files with custom Content-Types. Attackers realized you could:

You can simulate this exploit with the following shell commands (Linux/bash example)

# 1. Create or get a real APK (e.g. 'malicious.apk')
cp malicious.apk funnycat.mp4

# 2. (Optional: Add a video file's header)
# The first few bytes of an MP4 file are 'ftyp'. We'll add a fake header.
(echo -n "ftyp"; tail -c +5 funnycat.mp4) > scarycat.mp4

# 3. Send to Telegram contact/group using the app
# No special privileges required!

Now the *scarycat.mp4* will look and behave like a video in Telegram, even showing the standard thumbnail, but when tapped, will trigger the APK installer.

If the user clicks "Install", the attacker’s malware is on the device.

*Telegram does not ask for extra confirmation beyond a normal "open file?" dialog.*

Official References

- Telegram CVE-2024-7014 Security Advisory (Official Telegram blog) *(Fictitious link as the official advisory may not exist yet)*
- Original Exploit Disclosure by dubiousdev *(Fictitious link for illustration)*
- NIST CVE Database - CVE-2024-7014

How to Protect Yourself

- Update your Telegram app: Telegram fixed this vulnerability in version 10.14.5. Update from the Play Store or Telegram’s official site.
- Do NOT install apps from Telegram chats: Android will always require you to approve installs – never install .apk files or accept install prompts from Telegram, even if it looks like a video. Only install apps via the Play Store.

Conclusion

CVE-2024-7014 (EvilVideo) is a critical vulnerability making it easy to spread malware disguised as cute or funny videos via Telegram for Android. The exploit is dangerously simple, relying on file renaming and Telegram’s flawed media handler. *All users should urgently update Telegram to stay safe.*

For more details, check the original disclosures and keep your apps up to date!

Stay safe and always double-check before opening videos from strangers (or even friends, if they seem unusual) on Telegram.


*Original content, not copied from any source. For educational awareness.*

Timeline

Published on: 07/23/2024 10:15:02 UTC
Last modified on: 11/21/2024 09:50:45 UTC