A new exploit has emerged that bears similarities to the CVE-2024-7014 vulnerability, allowing attackers to execute malicious code on Android devices through the Telegram messaging app.
This technique, discovered on March 4, 2025, involves disguising an HTML file as a video and sending it via the Telegram API, potentially tricking users into inadvertently running JavaScript code.
Technical Details of the Exploit
The vulnerability stems from Telegram’s handling of file extensions. When an “.htm” file is sent through the Telegram API with a video MIME type, the app perceives it as a legitimate video file.
When a user attempts to open this fake video, it may redirect to the default browser or open directly if recognized as an HTML file.
This behavior allows the embedded JavaScript to execute, potentially leading to various malicious actions.
The exploit leverages the “content://” URI scheme on Android, specifically targeting the path “content://org.telegram.messenger.provider/media/Android/data/org.telegram.messenger/files/Telegram/Telegram%20Video/”.
When the HTML content is opened through this method, it bypasses certain security restrictions, allowing the attacker’s code to run.
One demonstrated scenario involves an IP logger. When the victim opens the disguised file, thinking it’s a video, the browser executes the HTML content.
This action triggers a script that fetches the user’s IP information and sends it to the attacker’s server, all without the user’s knowledge or consent.
Researchers have created a proof-of-concept script that automates the process of crafting and sending these malicious “videos” through Telegram.
The script uses the Telegram Bot API to distribute the payload, making it relatively simple for attackers to implement this technique at scale.
This new exploit serves as a reminder of the ongoing cat-and-mouse game between security researchers and malicious actors.
While it shares similarities with the previous CVE-2024-7014 vulnerability, which involved the Evilloader malware, this new method demonstrates how attackers continue to find creative ways to abuse legitimate features for malicious purposes.
As of now, it’s unclear whether Telegram has been notified of this specific exploit or if a patch is in development.
Users are advised to exercise caution when opening video files received through Telegram, especially if they’re prompted to open them in external applications or browsers.
Keeping the Telegram app and device operating systems up-to-date remains crucial in mitigating such threats.
