UPDATED: Telegram users are attacked by EvilVideo — how to avoid the exploit

Telegram is positioned as a secure and private platform for digital conversation, offering features such as secret chats, end-to-end encryption (not for group chats), two-step verification, self-destructing messages, proxy support, and the ability to hide your phone number. However, these same features have made the messenger attractive to cybercriminals.

In August last year, Telegram CEO Pavel Durov was detained in France over allegations that it was not sufficiently combating illegal activities on the platform. After that, Telegram updated its terms of use and privacy policy, stating that it would hand over fraudsters’ IP addresses and phone numbers to the relevant authorities upon request. However, this did not stop the hackers.

Now Telegram has a new exploit called EvilLoader. According to cyber researcher 0x6rss, attackers use it to spread malware via Telegram by disguising viruses as video files. When such a file is opened, the code in .htm format is launched, which produces a video playback error. The user is then asked to try to open the video in an external browser, after which they are redirected to a fake Play Store page where they may be forced to install malware.

EvilLoader is based on the old EvilVideo vulnerability, which was discovered in the summer of 2024 and quickly patched. However, EvilLoader still remains unfixed in the latest version of Telegram (11.7.4) and is actively used by hackers. The .htm extension used in the attack has been sold on underground forums since at least January 15, 2025.

How to protect yourself from EvilLoader?

This exploit only works if you have enabled the installation of applications from unknown sources through your default browser. To protect yourself:

1. Go to Android settings: Settings → Applications → Special access → Install unknown applications
2. Select your default browser.
3. Turn off the «Allow from this source» option.

Until Telegram fixes the vulnerability, users are advised to be careful and not to open suspicious video files.

UPDATED: A Telegram representative provided a comment to the ITC.UA editorial team regarding this matter. It is noted that the mentioned exploit is not a vulnerability of Telegram. To become a victim, users would need to open a video, modify the default Android security settings, and then manually install a suspicious “media application.” Additionally, the messenger team has deployed a server-side fix to protect users across all Telegram versions.

The messenger team representative also added that Telegram’s privacy policy has allowed the disclosure of criminals’ IP addresses and phone numbers since 2018.

Source: androidpolice