This doesnt't sound like a very scary or impressive exploit.
It sounds like any "bad guy" can just make an HTML file, rename the extension from ".HTML" to ".MP4", and then send it to someone over Telegram, which Telegram believes is a vĂdeo.
To the recipient, it then appears to be a video until they click it, but it will fail to play in Telegram, and ask if you want to try to play it in an external app.
Only if you click OK, will your phone then open the file in a web browser (because its's actually an HTML file).
Then the bad guy still has to convince you to (with his HTML file) to click a link that downloads an APK file that they want you to install.
You have to be pretty stupid to jump through all the hoops that would eventually end up with you compromising your phone.