A critical zero-day vulnerability in Telegram for Android, dubbed EvilLoader, has been discovered by security researcher 0x6rss.
This exploit allows attackers to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices.
Vulnerability Details
The EvilLoader vulnerability exploits Telegram’s file handling mechanism, tricking the app into treating HTML files with .mp4 extensions as legitimate video files.
When a user attempts to play these crafted “videos,” Telegram prompts them to open the file in an external application, potentially leading to the installation of malicious software.
This vulnerability remains unpatched in the latest version of Telegram for Android (v11.7.4) and has been available for sale on underground forums since January 15, 2025.
The exploit is similar to a previous vulnerability, EvilVideo (CVE-2024-7014), discovered in July 2024.
Exploit Mechanism
The attack vector relies on manipulating Telegram’s media handling process.
When a user receives and attempts to play a malicious file, they are prompted to install an external application.
If the user grants permission and has “installation from unknown sources” enabled, the disguised APK can be installed, potentially compromising the device.
The availability of this exploit on underground marketplaces raises significant concerns about its potential for widespread abuse.
Cybercriminals can leverage this vulnerability to deploy various types of malware, including spyware and ransomware, to unsuspecting Telegram users.
The researcher notified Telegram’s security team on March 04, 2025, but due to the urgency of the issue and its active exploitation, decided to disclose the vulnerability publicly to raise awareness.
Until Telegram addresses this vulnerability, users are advised to exercise caution when handling media files, especially those from unknown sources.
Disabling auto-download for media files in Telegram settings, avoiding the execution of files requiring external apps, and using reputable mobile security software are recommended precautionary measures.
As the vulnerability remains unpatched and actively exploited, Telegram users must remain vigilant and await an official security update from the messaging platform to address this critical issue.
