A zero-day vulnerability in Telegram’s Android app, known as EvilVideo, enabled attackers to distribute malicious files disguised as innocent videos.
ESET reported that the exploit was listed for sale on an underground forum on June 6, 2024, for an undisclosed price. After responsible disclosure on June 26, Telegram addressed the issue in version 10.14.5 released on July 11.
“Attackers could distribute harmful Android payloads through Telegram channels, groups, and chats, making them appear as multimedia files,” stated security researcher Lukáš Štefanko in a report.
The payload is believed to be crafted using Telegram’s API, allowing programmatic uploads of multimedia files to chats and channels, thus enabling an attacker to disguise a malicious APK file as a 30-second video.
Users who click on the video see a warning message stating the video cannot be played, prompting them to try an external player. If they proceed, they are then asked to allow the installation of the APK file through Telegram. The app in question is called “xHamster Premium Mod.”
“By default, media files received via Telegram are set to download automatically,” Štefanko noted. “This means that users with the option enabled will automatically download the malicious payload upon opening the conversation where it was shared.”
While this auto-download option can be disabled manually, the payload can still be downloaded by clicking the download button accompanying the supposed video. It’s important to note that the attack does not affect Telegram clients for the web or the dedicated Windows app.
The identity of the perpetrator and the extent of real-world attacks remain unclear. However, the same individual advertised a fully undetectable Android crypter capable of bypassing Google Play Protect in January 2024.
Hamster Kombat’s Viral Success Spawns Malicious Copycat
The rise of cybercriminal activity has coincided with the popularity of the Telegram-based cryptocurrency game Hamster Kombat, as cyber attackers seek financial gain. ESET has discovered fake app stores promoting the game, GitHub repositories hosting Lumma Stealer for Windows disguised as automation tools, and an unofficial Telegram channel distributing an Android trojan named Ratel.
Launched in March 2024, Hamster Kombat boasts over 250 million players, according to its developers. Telegram CEO Pavel Durov has praised the game as the “fastest-growing digital service in the world” and announced that Hamster’s team will mint its token on TON, bringing blockchain benefits to a massive audience.
Ratel, distributed via a Telegram channel named “hamster_easy,” masquerades as the game (“Hamster.apk“) and requests users to grant it notification access and set it as the default SMS application. It then contacts a remote server to obtain a phone number.
Next, the malware sends a Russian language SMS to that number, likely controlled by the malware operators, to receive further instructions.
“The threat actors can control the compromised device via SMS: They can instruct it to send texts to specific numbers or even make calls,” ESET stated. “The malware can also check the victim’s Sberbank Russia account balance by sending a message with the text баланс (balance) to the number 900.”
Ratel uses its notification access to hide alerts from over 200 apps based on a hard-coded list, likely to subscribe victims to premium services without their knowledge.
ESET also found fake application storefronts falsely offering Hamster Kombat for download, which instead lead to unwanted ads, and GitHub repositories purporting to offer automation tools but deploying Lumma Stealer.
“The success of Hamster Kombat has attracted cybercriminals who are targeting its players with malware,” said security researchers Lukáš Štefanko and Peter Strýček. “Given the game’s popularity, it is highly likely that more malicious actors will exploit it in the future.”
BadPack Android Malware Slips Through the Cracks
Beyond Telegram, malicious APK files targeting Android devices have also emerged in the form of BadPack. These are specially crafted package files where the header information used in the ZIP archive format has been altered to impede static analysis.
The goal is to prevent the extraction and proper parsing of the AndroidManifest.xml file, which provides crucial information about the mobile application. This allows malicious artifacts to be installed without detection.
Kaspersky extensively documented this technique in April, highlighting an Android trojan named SoumniBot that targeted users in South Korea. Telemetry data from Palo Alto Networks Unit 42 recorded nearly 9,200 BadPack samples in the wild between June 2023 and June 2024, none of which were found on the Google Play Store.
“These tampered headers are a key feature of BadPack, posing significant challenges for Android reverse engineering tools,” Unit 42 researcher Lee Wei Yeong explained in a report published last week. “Many Android-based banking trojans, such as BianLian, Cerberus, and TeaBot, utilize BadPack.”
Source: TheHackerNews
