An undisclosed security vulnerability in Telegram’s mobile app for Android known as EvilVideo was exploited by malicious actors to distribute infected files disguised as seemingly harmless videos.
According to ESET, the exploit was put up for sale at an undisclosed price on an underground forum on June 6, 2024. Telegram addressed the issue in version 10.14.5 released on July 11 following a responsible disclosure on June 26.
In a report, security expert Lukáš Štefanko mentioned, “Perpetrators could spread harmful Android payloads through Telegram channels, groups, and chats, camouflaging them as multimedia files.”
It is speculated that the payload is created using Telegram’s application programming interface (API), which facilitates automatic uploads of multimedia files to chats and channels, enabling attackers to disguise a malicious APK file as a brief video clip.
When users click on the video, they receive a notification stating that the video cannot be played and are prompted to attempt playing it using an external player. If they proceed, they are then requested to authorize the installation of the APK file through Telegram, which is named “xHamster Premium Mod.”
“By default, multimedia files received via Telegram are set to download automatically,” Štefanko explained. “Therefore, users with this setting enabled will unknowingly download the dangerous payload once they open the conversation in which it was shared.”
Although users can manually disable this option, the malware can still be downloaded by tapping the download button accompanying the supposed video. Notably, this attack does not affect Telegram clients for the web or the dedicated Windows application.
The culprits behind the exploit and the extent of its utilization in real-world attacks remain unclear. Nevertheless, the same actors had previously advertised a fully unnoticeable Android encryptor in January 2024 that could bypass Google Play Protect.
Hamster Kombat’s Sensational Success Sparks Imitative Malevolent Activity
The rise of cybercriminals leveraging the Telegram-based cryptocurrency game Hamster Kombat for financial gain has been unraveled by ESET, revealing sham app stores endorsing the game, GitHub repositories hosting Lumma Stealer for Windows disguised as game automation tools, and an unsanctioned Telegram channel disseminating an Android trojan called Ratel.
The immensely popular game, initiated in March 2024, is estimated to boast over 250 million gamers, as stated by the game’s creator. Telegram’s CEO Pavel Durov has described Hamster Kombat as the “fastest-growing digital service globally,” announcing that the “Hamster’s team will introduce its token on TON, bringing blockchain benefits to hundreds of millions of users.”
Ratel, promoted through a Telegram channel named “hamster_easy,” masquerades as the game (“Hamster.apk”), requesting users to grant it notification access and designate itself as the primary SMS app. Subsequently, it establishes contact with an external server to retrieve a phone number as a response.
Following this, the malware sends a Russian language SMS to the obtained number, presumably belonging to the malware operators, to receive further instructions via SMS.
“Subsequently, the assailants gain control over the infiltrated device via SMS: The operator’s message might contain a pre-set text to be sent to a specific number or instruct the device to initiate a call to the number,” detailed ESET. “Moreover, the malware can inspect the victim’s Sberbank Russia’s current account balance by sending the text баланс (meaning: balance) to the number 900.”
Ratel exploits its notification access permissions to hide alerts from more than 200 applications based on a pre-configured list. This illegitimate action is believed to aim at enrolling victims in premium services and preventing them from being alerted.
The cybersecurity company from Slovakia also reported counterfeit application platforms claiming to offer Hamster Kombat for download that redirect to unwanted advertisements, and GitHub repositories proposing Hamster Kombat automation tools that surreptitiously introduce Lumma Stealer.
“The success of Hamster Kombat has attracted cybercriminals who have promptly commenced distributing malware targeting the game’s players,” mentioned Štefanko and Peter Strýček. “The game’s wide popularity makes it vulnerable to misuse, implying that more malicious individuals might target it in the future.”
BadPack Android Malware Eludes Detection
Besides Telegram, malevolent APK files targeting Android devices have adopted the form of BadPack, which manipulate package files by altering the header information used in ZIP archives to hinder static analysis.
This manipulation is intended to thwart the extraction and proper parsing of the AndroidManifest.xml file—critical for offering essential application details—thus enabling the installation of malicious elements without raising any alerts.
Previously documented by Kaspersky this April in connection with an Android trojan termed SoumniBot, which targeted South Korean users, telemetry data collected by Palo Alto Networks Unit 42 identified nearly 9,200 BadPack instances in the wild from June 2023 to June 2024, none of which were found on the Google Play Store.
“These altered headers are a distinctive trait of BadPack, and such samples generally pose a challenge for Android reverse engineering tools,” stated Lee Wei Yeong from Unit 42 in a recent report. “Various Android-based banking trojans such as BianLian, Cerberus, and TeaBot leverage BadPack.”
About Author
