Telegram Users at Risk: New Malware Disguised as Video Files

A concerning security vulnerability has been discovered in Telegram for Android, potentially affecting its billion-plus user base. Dubbed “EvilLoader,” this exploit allows cybercriminals to disguise malicious software as video files sent through the messaging platform.

How the Attack Works

The vulnerability, uncovered by malware analyst 0x6rss, remains unpatched as of Telegram for Android version 11.7.4. It exploits a flaw in how Telegram processes file formats, mistakenly identifying HTML files with MP4 extensions as legitimate videos.

When users attempt to play these fake videos, Telegram shows an error and prompts them to open the file in an external application. This is where the danger lies – the file actually contains code that executes in the browser under a “content:/” path, allowing malicious JavaScript to run.

Specifically, the attack leverages Telegram’s server responses that incorrectly classify “.htm” files as videos. Once opened, the malicious payload can steal credentials, access private data, and install banking trojans that monitor financial activities.

Telegram has stated that “this exploit is not a vulnerability in Telegram” and claims it “would have required users to open the video, change Android settings to remove protections and then manually install a suspicious-looking ‘media app’.” However, security researchers have demonstrated that users can still be deceived through clever social engineering.

Growing Threat

The EvilLoader payload has been available for sale on underground forums since January 15, 2025, with prices making it accessible to cybercriminals worldwide. This marketplace availability significantly increases the risk of widespread exploitation.

This vulnerability evolved from a previous exploit called “EvilVideo” (tracked as CVE-2024-7014) that was supposedly patched in July 2024. The recurrence suggests persistent security challenges in how messaging platforms handle media files.

Fig 1. The malicious file in a Telegram chat (left) and it prompting an install (right) (source: mobilehacker)

Recent EvilLoader variants include sophisticated evasion techniques. The malware now checks for sandbox environments used by security analysts and only activates in specific geographic regions. It also displays convincing fake security warnings to trick users into disabling protective settings on their devices.

Protecting Yourself

While Telegram claims to have deployed a server-side fix, users should take these precautionary measures:

1. Update to the latest version of Telegram immediately
2. Disable auto-download of media files in Telegram settings (Settings > Data and Storage > Automatic Media Download)
3. Reject any prompts to install new applications when viewing media
4. Be extremely suspicious of video files from unknown sources or unexpected contacts
5. Never change Android security settings based on prompts from applications
6. Install and maintain reputable mobile security software that can detect malicious applications

This EvilLoader vulnerability highlights the importance of maintaining vigilance even on platforms with strong security reputations. As messaging apps continue to handle increasingly complex media types, users must remain alert to evolving threats.