Summary
- A new ‘EvilLoader’ payload exploit on Telegram uses disguised video files to trick users into downloading malware or revealing their IP addresses.
- This new malware, building on the previous ‘EvilVideo,’ utilizes a disguised .htm extension within video files to redirect users to malicious downloads. It remains unpatched in the latest Telegram Android version and is being actively sold in underground forums.
- Users can mitigate the risk by disabling the installation of unknown apps from their default browser settings. Telegram’s history of addressing similar issues suggests a patch may be forthcoming, but until then, vigilance is crucial.
Telegram is a somewhat solid platform for anyone looking for digital privacy, with features like secret chats, end-to-end encryption (not for group chats), two-step verification, self-destructing media, proxy support, and the option to hide your phone number from everybody. However, serving as a double-edged sword, these features have also made Telegram a hotbed for malicious activity.
In August last year, Telegram CEO Pavel Durov was detained in France for allegedly failing to curb illegal activities on the platform, and lo and behold, the platform took measures to curb some of the malicious activity, all while altering its terms of service and privacy policy to state that it would hand over fraud actors’ IP and phone numbers to relevant authorities if probed. So much for being privacy focused.
Related
Telegram’s compliance with user data requests soared to close 2024, as expected
Negating any pretense of privacy
Those warnings, however, haven’t stopped malicious actors from exploiting users on the platform, and it looks like a new ‘EvilLoader’ exploit is now doing the rounds.
First highlighted by cybersecurity researcher 0x6rss (via TechIssuesToday), fraud actors are using the exploit to push malware onto users’ devices right through Telegram, all hidden behind a convenient video veil. Essentially, this works by tricking users into opening what looks to be a harmless video file, which actually contains embedded malicious code disguised within an .htm extension. Often triggered upon video playback, the .htm extension pushes an “app was unable to play this video” error, prompting the user to “try to play it in an external browser.” Once the browser is open, the payload can then show you a legitimate-looking Play Store listing, tricking you into downloading malware and exposing your IP.
The vulnerability remains unpatched
‘EvilLoader’ builds upon the foundation of a previous vulnerability known as ‘EvilVideo,’ which surfaced last summer, and was promptly patched. EvilLoader, however, remains unpatched as of Telegram’s latest version 11.7.4 build, and can be actively used to exploit potential victims. As highlighted by mobile-hacker, the .htm extension has been available to purchase off of shady underground forums since at least January 15, 2025.
For what it’s worth, you can only fall victim to this exploit if you’ve enabled the installation of unknown apps via your default browser. If you’re a regular Telegram user and want to take preventive measures until the platform patches the vulnerability, head to your Android device’s Settings → Apps → Special app access → Install unknown apps → select your default browser → toggle off ‘Allow from this source.’
Related
10 Telegram tips for safe and secure chats
Minimize security risks and increase your privacy on Telegram
