Hackers are sending fake Telegram videos to steal your IP address and install malware

A dangerous new trick targeting Telegram users has been uncovered, and it’s something every Android user needs to know about. Cybersecurity expert 0x6rss has revealed that attackers can send fake video files through Telegram that secretly install harmful software (malware) on your phone or expose personal details like your location. This issue, nicknamed “EvilLoader,” is a serious threat — and it’s already being sold to cybercriminals online.

Imagine getting a video from a friend on Telegram. You tap to play it, but instead of a funny clip, your phone downloads something nasty — like spyware that can steal your passwords or ransomware that locks your files until you pay up. That’s what EvilLoader does. Attackers disguise these fake videos as normal files, but they’re actually sneaky traps. When you try to open them, they can trick you into installing a harmful app or quietly send your IP address (a clue to your location) to the attacker.

This isn’t a one-off fluke. It’s an updated version of a similar problem called “EvilVideo” that popped up last year. The researcher who found it warned Telegram on March 4, 2025, but there’s no fix yet. Even worse, since January, cybercriminals have reportedly been buying and selling this trick on shady online forums, meaning it’s spreading fast.

Telegram is super popular because it’s private and easy to use — over 900 million people trust it every month. That trust makes this trick extra dangerous. You might not think twice about opening a video from someone you know, but with EvilLoader, even a familiar contact could accidentally send you trouble. If your phone gets infected, attackers could spy on you, steal your info, or hold your data hostage.

Right now, this only affects Android users, and it works on the latest version of Telegram (11.7.4) that came out late last month. Since there’s no official patch yet, every Android user on Telegram is at risk. Interestingly, YouTube creators are also facing something similar.

Without getting too technical, here’s the gist: Attackers send a file that looks like a video but isn’t. When you tap it, Telegram might ask you to open it with another app or warn you it can’t play. If you agree to install something to “fix” it, boom — you’ve just let the bad guys in. Sometimes, it doesn’t even need that — it can quietly grab your info in the background when you try to open it.

The researcher who discovered EvilLoader shared this warning to help users stay safe while Telegram works on a solution. They’ve seen this kind of trick before — last year’s EvilVideo was similar — and Telegram eventually patched that one. But with EvilLoader already in the hands of criminals, time is ticking. Telegram hasn’t said when a fix is coming, so for now, it’s up to you to stay cautious.