A new virus is attacking the Android system via Telegram: Ukrainians are at risk of losing their accounts and money.

A new malicious program called EvilLoader is spreading in the messaging app Telegram

A new malicious program has appeared in the Telegram messaging app that disguises itself as a regular video and steals users' personal data. This was reported by Android Police.

According to cybersecurity experts, this vulnerability was discovered by 0x6rss. Hackers are using this method to spread malware through Telegram, hiding it under regular video files. To scare users, they offer them to watch videos that actually contain malicious code with a .htm extension.

CVE-2024-7014 Returns: attackers can send messages disguised as fake videos through Telegram, forcing you to download malicious software or reveal your IP address. Blog: Check PoC: pic.twitter.com/Ja4YfuRqsc — 0x6rss (@0x6rss) March 4, 2025.

When users open these videos, they see the error 'The program cannot play this file' and are prompted to go to the browser. Then, a fake Google Play page appears, attempting to force them to install malicious software capable of stealing the IP address and other personal data. Scammers create a bot that resembles Free Telegram Premium and through it urge users to run the virus.

The malicious program EvilLoader is a modification of the previous malicious program EvilVideo, which was discovered last summer and was quickly removed. Unfortunately, at the moment, EvilLoader has not been removed even in the new Telegram version 11.7.4, so hackers continue to exploit this. According to mobile-hacker, files with a .htm extension containing this vulnerability have been sold on hacker forums since January 15, 2025.

It is important to note that this threat may only arise if the installation of applications from unknown sources via the browser is enabled on your device.

To protect yourself, until the official update of Telegram is released, it is advised to take the following safety measures: open the Settings menu, go to Applications, find Special access, and in the list select your default browser. Then disable the 'Allow from this source' option.

Also, we remind you that on Saturday, March 9, a massive failure occurred with Visa and Mastercard, which prevented users from making card purchases or withdrawing cash.