CVE-2024-7014 in Telegram App (EvilVideo)
Summary
by MITRE • 07/23/2024
EvilVideo vulnerability allows sending malicious apps disguised as videos in Telegram for Android application affecting versions 10.14.4 and older.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/09/2026
The EvilVideo vulnerability represents a sophisticated social engineering attack vector that exploits the trust users place in multimedia content within the Telegram messaging platform. This vulnerability specifically targets the Android version of Telegram application, affecting all versions up to and including 10.14.4, creating a significant security risk for millions of users who rely on the platform for communication. The flaw operates by enabling attackers to craft malicious applications that appear as legitimate video files, exploiting the application's handling of file extensions and content type validation mechanisms. The vulnerability demonstrates how modern messaging platforms can be compromised through seemingly benign file transfers, particularly when applications fail to properly validate file integrity and execution contexts.
Technical exploitation of this vulnerability occurs through the manipulation of file naming conventions and metadata within the Telegram Android client. Attackers can create specially crafted files that have video file extensions but contain malicious executable code or scripts designed to bypass standard security measures. The vulnerability stems from inadequate input validation and insufficient file type detection mechanisms within the application's media processing pipeline, allowing malicious payloads to be disguised as legitimate video content. This flaw operates at the intersection of file extension handling and content inspection, where the application's security controls fail to properly distinguish between genuine multimedia files and maliciously crafted executables. The vulnerability can be categorized under CWE-502 as it involves deserialization of untrusted data, and represents a form of code injection that leverages user trust in file sharing mechanisms.
The operational impact of CVE-2024-7014 extends beyond simple malware distribution, creating a comprehensive attack surface that can facilitate advanced persistent threats and credential theft operations. When users download and open what appears to be a video file, the malicious payload can execute with the privileges of the Telegram application, potentially leading to full device compromise. This vulnerability enables attackers to bypass traditional security controls such as antivirus software and application sandboxing, as the malicious code is disguised within what appears to be legitimate media content. The attack vector aligns with ATT&CK technique T1566, specifically targeting user execution through social engineering and malicious file delivery. The vulnerability can result in data exfiltration, keylogging, and remote access capabilities, making it particularly dangerous for users who may be targeted for espionage or corporate data theft.
Mitigation strategies for this vulnerability must address both immediate defensive measures and long-term architectural improvements within the Telegram Android application. Users should immediately update to the latest version of Telegram that contains patches for this vulnerability, while administrators should implement network-level monitoring to detect suspicious file transfers. The recommended approach includes deploying content inspection systems that can identify and block suspicious file combinations, implementing strict file extension validation, and maintaining comprehensive user education programs about the risks of opening untrusted media files. Security controls should also include runtime application integrity checks and behavioral monitoring to detect anomalous execution patterns that may indicate exploitation attempts. Organizations should consider implementing zero-trust network access controls that require additional verification before allowing file execution, particularly for files received through messaging applications. The vulnerability highlights the importance of continuous security assessment and the need for robust file validation mechanisms in mobile applications, emphasizing that traditional perimeter-based security models are insufficient against modern social engineering attacks that exploit user trust and application behavior.