A zero-day vulnerability in Telegram’s Android app, dubbed “EvilVideo,” allowed attackers to disguise malicious files as harmless-looking videos.
The exploit appeared for sale in an underground forum on June 6, 2024. Following responsible disclosure, Telegram addressed the issue on June 26 and released a fix in version 10.14.5 on July 11.
Security researcher Lukáš Štefanko reported that attackers could share malicious Android payloads via Telegram channels, groups, and chats, making them appear as multimedia files. This allowed attackers to camouflage a malicious APK file as a 30-second video.
When users clicked on the video, they received a warning message stating the video could not be played and were urged to try playing it using an external player. If they proceeded, they were subsequently prompted to allow the installation of the APK file through Telegram. This app was named “xHamster Premium Mod.”
Cybersecurity Risks
By default, media files received via Telegram are set to download automatically, causing users to download the malicious payload automatically when they open the conversation where it was shared. While this option can be disabled manually, the payload can still be downloaded by tapping the download button accompanying the supposed video. This attack does not affect Telegram clients for the web or the dedicated Windows app.
It is currently unclear who is behind the exploit and how widely it was used in real-world attacks. However, the same actor reportedly advertised a fully undetectable Android crypter in January 2024 that can bypass Google Play Protect.
Malicious Activity Around Hamster Kombat Game
The popularity of the Telegram-based cryptocurrency game Hamster Kombat has attracted cybercriminals looking to capitalize on its success. ESET has discovered fake app stores promoting the game, GitHub repositories hosting Lumma Stealer for Windows under the guise of automation tools for the game, and an unofficial Telegram channel distributing an Android trojan called Ratel.
Ratel, offered via a Telegram channel named “hamster_easy,” is designed to impersonate the game (“Hamster.apk”) and prompts users to grant it notification access and set it as the default SMS application. It then contacts a remote server to obtain a phone number as a response and sends a Russian language SMS message to that number, likely belonging to the malware operators, to receive additional instructions over SMS.
Malware Techniques
Beyond Telegram, malicious APK files targeting Android devices have taken the form of BadPack, which are specially crafted package files where the header information used in the ZIP archive format has been altered to obstruct static analysis. This prevents the AndroidManifest.xml file – crucial for providing essential information about the mobile application – from being extracted and properly parsed, allowing malicious artifacts to be installed without raising any red flags.
This technique was extensively documented by Kaspersky in April in connection with an Android trojan called SoumniBot, targeting users in South Korea. Telemetry data from Palo Alto Networks Unit 42 detected nearly 9,200 BadPack samples in the wild from June 2023 through June 2024, although none were found on the Google Play Store.
Conclusion
The spread of malware through Telegram and popular games highlights the importance of users being vigilant and maintaining strict security measures. While timely identification and resolution of security vulnerabilities are crucial, user awareness and caution are equally essential in preventing malware attacks.