Telegram App Flaw Exploited to Spread Malware Hidden in Videos
Issue with Telegram Application Exploited to Disseminate Malware Concealed in Clips
An undisclosed security vulnerability in Telegram’s Android mobile application named EvilVideo was exploited by cybercriminals to distribute malicious files disguised as innocent-looking video content.
ESET reported that the exploit was put up for sale on an underground forum on June 6, 2024. Telegram addressed the issue in version 10.14.5 released on July 11 after responsible disclosure on June 26.
In a statement, security researcher Lukáš Štefanko pointed out, “Attackers could disseminate harmful Android payloads through Telegram channels, groups, and chats by representing them as multimedia files.”
The payload seems to be constructed using Telegram’s application programming interface (API), which permits automated uploads of multimedia files to conversations and channels, facilitating the cloaking of a harmful APK file as a 30-second video.
When users attempt to view the video, they are presented with a warning message indicating the inability to play the video, urging them to utilize an external player. If users proceed, they are prompted to authorize the installation of the APK file through Telegram. The deceptive app is titled “xHamster Premium Mod.”
“By default, media files received via Telegram are set to download automatically,” Štefanko mentioned. “Users with this option enabled will automatically download the malicious payload upon accessing the conversation where it was shared.”
Although this setting can be manually disabled, tapping the download icon attached to the supposed video still allows for the payload download. Notably, this attack method does not function on the Telegram web clients or the dedicated Windows app.
The culprits behind the exploit and its widespread usage in actual attacks remain unknown. Nonetheless, the same individual advertised an entirely concealed Android crypter in January 2024, purportedly capable of circumventing Google Play Protect.
Hamster Kombat’s Phenomenal Rise Begets Malicious Clone
As hackers seek to profit from the Telegram-based cryptocurrency game Hamster Kombat, ESET uncovered counterfeit app stores endorsing the game, GitHub repositories hosting Lumma Stealer under the guise of game automation tools, and an illicit Telegram channel distributing an Android trojan known as Ratel.
Hamster Kombat, launched in March 2024, is believed to have over 250 million players, according to the game’s developers. Telegram CEO Pavel Durov hailed Hamster Kombat as the “fastest-growing digital service globally,” revealing plans to debut the game’s token on TON to introduce blockchain benefits to millions.
Ratel, available via a Telegram channel named “hamster_easy,” impersonates the game (“Hamster.apk”) and asks for notification access approval along with setting itself as the default messaging app. Subsequently, it establishes communication with a remote server to retrieve instructions via SMS.
Furthermore, the malware sends an SMS in Russian to the obtained phone number, potentially owned by the threat actors, for receiving further directives through SMS.
“This grants the threat actors control over the infected device via SMS: Operator messages may include instructions to text a specific number or even command the device to dial the number,” as per ESET’s findings. “The malware also fetches the current Sberbank Russia account balance by sending a message with the ‘balance’ text to 900.”
Ratel misuses notification access permissions to conceal notifications from over 200 apps defined by a pre-set list, likely intended to enroll victims in premium services clandestinely and prevent alerting them.
Additionally, the Slovakian cybersecurity firm identified counterfeit app platforms offering Hamster Kombat for download but redirecting users to undesirable ads and GitHub repositories offering Lumma Stealer under the guise of Hamster Kombat automation tools.
“The rising popularity of Hamster Kombat has attracted cybercriminals who are now leveraging malware against gamers,” Štefanko and Peter Strýček warned. “The game’s wide acclaim makes it a prime target for abuse, indicating an increased likelihood of more malicious activities surrounding the game.”
BadPack Android Malware Evades Detection
Aside from Telegram, malevolent APK files targeting Android devices are now using BadPack, a term describing tailored package files where the header information in the ZIP archive format is altered to impede static analysis.
This modification aims to hinder the extraction and proper parsing of AndroidManifest.xml, a vital file providing crucial details about the mobile application, allowing installation of malicious elements without triggering alerts.
Kaspersky documented this technique extensively earlier in April in connection with an Android trojan called SoumniBot targeting South Korean users. Palo Alto Networks Unit 42 report from June 2023 to June 2024 identified almost 9,200 BadPack samples in circulation, none of which were detected on the Google Play Store.
“Tampered headers are a distinctive feature of BadPack, making them challenging for Android reverse engineering tools,” quoted researcher Lee Wei Yeong from Unit 42 in a recent publication. “Several Android-based banking Trojans such as BianLian, Cerberus, and TeaBot have adopted BadPack.”
About Author
