A zero-day security issue in the Telegram mobile app for Android called EvilVideo has made it possible for attackers to access malicious files disguised as harmless-looking videos.
The exploit appeared for sale at an unknown price on an underground forum on June 6, 2024, ESET said. After a responsible disclosure on June 26, the problem was resolved by Telegram in version 10.14.5, released on July 11.
“Attackers can share malicious Android payloads through Telegram channels, groups, and chat and make them appear as multimedia files,” — Lukasz Stefanka, security researcher. said in the report.
The payload is believed to be created using the Telegram API (API), which allows you to programmatically upload multimedia files to chats and channels. By doing this, it allows an attacker to camouflage a malicious APK file as a 30-second video.
Users who click on the video are presented with a valid warning that the video cannot be played and are prompted to try playing it using an external player. If they proceed with the step, they are then asked to allow the installation of the APK file via Telegram. The program in question is called “xHamster Premium Mod”.
“By default, media files received via Telegram are set to automatically download,” Stefanka said. “This means that users with the option enabled will automatically download the malicious payload as soon as they open the conversation in which it was shared.”
Although this option can be disabled manually, the payload can still be downloaded by clicking the download button accompanying the intended video. It should be noted that the attack does not work on Telegram web clients or the dedicated Windows program.
It is currently unclear who is behind the exploit or how widely it has been used in actual attacks. The same actor, however, advertised a January 2024 Android that is completely undetectable to encrypt (aka crypter) that can reportedly bypass Google Play Protect.
The viral success of Hamster Kombat spawns a malicious copier
The development comes at a time when cybercriminals are cashing in on Telegram-based cryptocurrency games Fight with hamsters for monetary gain when ESET detects fake app stores promoting the app, GitHub repositories, hosting Lumma Stealer for Windows under the guise of automation tools for the game and an unofficial Telegram channel used to distribute an Android trojan called Ratel.
A popular game that was launched in March 2024 is evaluated have over 250 million players, according to the game’s developer. General Director of Telegram Pavel Durau is called Hamster Kombat is “the fastest growing digital service in the world” and that “the Hamster team will mint their token on TONbringing the benefits of blockchain to hundreds of millions of people.”
Offered through a Telegram channel called “hamster_easy”, Ratel is designed to emulate the game (“Hamster.apk”) and prompts users to give it access to notifications and set itself as the default SMS app. It then initiates a contact with the remote server to receive a phone number as a response.
In the next step, the malware sends an SMS message in Russian to this phone number, which probably belongs to the malware operators, to receive further instructions via SMS.
“Threat actors are then able to control the compromised device via SMS: the operator’s message can contain text to be sent to a specified number, or even command the device to call that number,” says ESET. said. “The malware can also check the current balance of the victim’s bank account with the Sberbank of Russia by sending a message with the text balance (translation: balance) to the 900 number.”
Ratel abuses its notification access rights to hide notifications from at least 200 apps based on a hard-coded list built into it. It is suspected that this is done in an attempt to subscribe to various premium services and prevent them from being notified.
The Slovakian cybersecurity firm said it also discovered fake app storefronts that claim to offer Hamster Kombat for download but actually redirect users to unwanted ads, and GitHub repositories offering Hamster Kombat automation tools that deploy Lumma Stealer instead .
“The success of Hamster Kombat has also led to cybercriminals who have already begun deploying malware targeting the game’s players,” Stefanka and Peter Strycek said. “Hamster Kombat’s popularity makes it ripe for abuse, meaning it’s highly likely that the game will attract more malicious actors in the future.”
BadPack Android malware slips through the cracks
In addition to Telegram, malicious APKs targeting Android devices have also taken the form of BadPacks, which refer to specially crafted package files in which the header information used in the ZIP archive format has been altered in an attempt to thwart static analysis.
By doing this, the idea is to prevent AndroidManifest.xml, an important file that contains essential information about a mobile application, from being extracted and properly analyzed, allowing malicious artifacts to be installed without triggering any alerts.
This method was widely documented by Kaspersky earlier this April in connection with an Android Trojan called SoumniBot which targets users in South Korea. Telemetry data collected by Palo Alto Networks’ Unit 42 between June 2023 and June 2024 found nearly 9,200 BadPack samples in the wild, although none were found in the Google Play Store.
“These fake headers are a key feature of BadPack, and such samples usually pose a problem for Android reverse engineering tools,” said Unit 42’s Lee Wei Yong. said in a report released last week. “Many Android-based banking trojans, such as BianLian, Cerberus, and TeaBot, use BadPack.”
