A zero-day security hole in Telegram's mobile app for Android termed EvilVideo made it feasible for attackers to harmful files disguised as harmless-looking films.
The exploit emerged for sale for an undisclosed sum in an underground forum on June 6, 2024, ESET stated. Following responsible disclosure on June 26, the issue was fixed by Telegram in version 10.14.5 released on July 11.
"Attackers could share malicious Android payloads via Telegram channels, groups, and chat, and make them appear as multimedia files," security researcher Lukáš Štefanko warned in a report.
It's thought that the payload is constructed using Telegram's application programming interface (API), which allows for automated uploads of multimedia files to chats and channels. In doing so, it enables an attacker to hide a malicious APK file as a 30-second film.
Users who click on the video are presented a genuine warning message indicating the video cannot be played and invites them to try playing it using an external player. Should they proceed with the procedure, they are later requested to approve installation of the APK file over Telegram. The app in question is named "xHamster Premium Mod."
"By default, media files received via Telegram are set to download automatically," Štefanko explained. "This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared."
While this functionality can be removed manually, the payload can still be downloaded by pressing the download button accompanying the claimed movie. It's worth mentioning that the attack does not operate on Telegram clients for the web or the native Windows app.
It's presently not apparent who is behind the exploit and how extensively it was utilized in real-world attacks. The same actor, however, advertised in January 2024 a fully undetectable Android crypter (aka cryptor) that can purportedly defeat Google Play Protect.
Hamster Kombat's Viral Success Spawns Malicious Copycat#
The development comes as cyber criminals are capitalizing on the Telegram-based cryptocurrency game Hamster Kombat for monetary gain, with ESET discovering fake app stores promoting the app, GitHub repositories hosting Lumma Stealer for Windows under the guise of automation tools for the game, and an unofficial Telegram channel that's used to distribute an Android trojan called Ratel.
The popular game, which began in March 2024, is anticipated to have more than 250 million players, according to the game developer. Telegram CEO Pavel Durov has termed Hamster Kombat the "fastest-growing digital service in the world" and that "Hamster's team will mint its token on TON, introducing the benefits of blockchain to hundreds of millions of people."
.webp)
Ratel, given via a Telegram channel named "hamster_easy," is meant to spoof the game ("Hamster.apk") and asks users to enable it notification access and set itself as the default SMS application. It subsequently starts contact with a distant server to retrieve a phone number as return.
In the next phase, the virus sends a Russian language SMS message to that phone number, likely belonging to the malware operators, to obtain additional instructions by SMS."The threat actors then become capable of controlling the compromised device via SMS: The operator message can contain a text to be sent to a specified number, or even instruct the device to call the number," ESET warned. "The malware is also able to check the victim's current banking account balance for Sberbank Russia by sending a message with the text баланc (translation: balance) to the number 900."
Ratel abuses its notification access capabilities to hide notifications from no less than 200 apps depending on a hard-coded list embedded within it. It's suspected that this is being done in an attempt to subscribe the victims to various premium services and prevent them from being alerted.
The Slovakian cybersecurity firm said it has discovered bogus application storefronts purporting to offer Hamster Kombat for download, but really exposes visitors to unwelcome adverts, and GitHub repositories offering Hamster Kombat automation tools that deploy Lumma Stealer instead.
"The success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game," Štefanko and Peter Strýček said. "Hamster Kombat's popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future."
BadPack Android Malware Slips Through the Cracks#
Beyond Telegram, malicious APK files targeting Android devices have also taken the shape of BadPack, which refer to specially made package files in which the header information used in the ZIP archive format has been altered in an attempt to obstruct static analysis.
In doing so, the objective is to prevent the AndroidManifest.xml file — a vital file that contains essential information about the mobile application – from being extracted and properly parsed, hence allowing malicious artifacts to be deployed without raising any red signals.
This approach was extensively described by Kaspersky earlier this April in relation with an Android virus known to as SoumniBot that has targeted consumers in South Korea. Telemetry data obtained by Palo Alto Networks Unit 42 from June 2023 through June 2024 has discovered nearly 9,200 BadPack samples in the wild, while none of them have been found on Google Play Store.
"These tampered headers are a key feature of BadPack, and such samples typically pose a challenge for Android reverse engineering tools," Unit 42 researcher Lee Wei Yeong stated in a paper published last week. "Many Android-based banking Trojans like BianLian, Cerberus and TeaBot use BadPack."