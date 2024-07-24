A zero-day vulnerability in the Telegram mobile app for Android called EvilVideo has permit attackers to send malicious files disguised as seemingly innocuous videos.

EvilVideo, Eset’s terrible discovery

According to ESET, the EvilVideo exploit appeared for sale for an unknown price on an underground forum on June 6, 2024; after a report on June 26, The issue was fixed by Telegram in version 10.14.5 released on July 11.

“Attackers could share malicious Android payloads via Telegram channels, groups and chats, making them look like media files.“, has declared Security researcher Lukáš Štefanko in a report about EvilVideo.

How EvilVideo works on the technical side

The EvilVideo payload is believed to have been created using the application programming interface (API) from Telegram, which allows scheduled loading of media files into chats and channels. This way, an attacker can disguise a malicious APK file as a 30-second video.

Users who click on the video (hence the name EvilVideo) see a warning message that the video cannot be played and urges them to try playing it using an external player. If they proceed, they are then asked to allow the APK file to be installed via Telegram; the application in question is called “xHamster Premium Mod.”

“By default, media files received via Telegram are configured to be downloaded automatically.“, Štefanko said about EvilVideo. “This means that users with the option enabled will automatically download the malicious payload once they open the conversation in which it was shared.“

While this option can be manually disabled, the payload can still be downloaded by tapping the download button associated with the alleged video; It is important to note that the EvilVideo attack does not work on Telegram web clients or the dedicated Windows application..

It is currently unclear who is behind the exploit and how much it has been used in real attacks; however, the same author publicized in January 2024 a crypter (aka cryptor) for Android completely undetectable that can supposedly bypass Google Play Protect.

Hamster Kombat’s Viral Success Breeds Evil Imitators by EvilVideo

The issue comes as cybercriminals are exploiting the cryptocurrency game on Telegram Hamster Kombat for monetary gain, with ESET discovering fake app stores promoting the game, GitHub repositories hosting Lumma Stealer for Windows under the guise of gaming automation tools, and an unofficial Telegram channel used to distribute an Android Trojan called Ratel.

The popular game, launched in March 2024, is esteem has more than 250 million players, according to the game’s developer. Telegram CEO Pavel Durov called Hamster Kombat the “fastest growing digital service in the world” and stated that “Hamster team will mint its token on TONintroducing the benefits of blockchain to hundreds of millions of people.”

game screen

Ratel, offered via a Telegram channel called “hamster_easy,” is designed to impersonate the game (“Hamster.apk”) and tricks users into granting it access to notifications and setting itself as the default SMS application; Next, it starts contacting a remote server to get a phone number as a response.

In the next step, the malware sends a Russian-language SMS message to that phone number, probably belonging to the malware operators, to receive further instructions via SMS.

“Cybercriminals then become able to control the compromised device via SMS: the operator’s message can contain a text to be sent to a specified number, or even instruct the device to call the number“, has said ESET, adding: “The malware is also able to check the current balance of the victim’s bank account for Sberbank Russia by sending a message with the text баланс (translation: balance) to the number 900.“

FILE PHOTO: Men pose with smartphones in front of a screen showing the Telegram logo in this picture illustration November 18, 2015. REUTERS/Dado Ruvic/File Photo – RTS18EPF

Ratel uses notification access permissions to hide notifications from no less than 200 apps based on a list encoded within it; It is suspected that this is done in an attempt to subscribe victims to various premium services and prevent them from being notified.

The Slovakian cybersecurity company also reported fake application stores that claim to offer Hamster Kombat for download, but actually direct users to unwanted advertisements, and GitHub repositories that offer automation tools for Hamster Kombat that actually distribute Lumma Stealer.

“The success of Hamster Kombat has also attracted cybercriminals, who have already started distributing malware targeting players of the game.“, said Štefanko and Peter Strýček. “Hamster Kombat’s popularity makes it susceptible to abuse, which means the game is very likely to attract more cybercriminals in the future.“

In addition to EvilVideo, BadPack Android malware slips through detection

In addition to Telegram, malicious APK files targeting Android devices have also taken the form of BadPack, which refers to specially crafted file packages in which the header information used in the ZIP archive format has been altered in an attempt to hinder static analysis.

In this way, the idea is to prevent the AndroidManifest.xml file (a crucial file that provides essential information about the mobile application) is extracted and analyzed properly, thus allowing the installation of malicious tools without raising any alarms.

This technique was extensively documented by Kaspersky last April in relation to an Android Trojan called SoumniBot that targeted users in South Korea; telemetry data collected by Palo Alto Networks Unit 42 from June 2023 to June 2024 detected nearly 9,200 BadPack samples in circulation, even though none of them were found on Google Play Store.

“These tampered headers are a key feature of BadPack, and such samples typically pose a challenge to Android reverse engineering tools.“, has declared Unit 42 researcher Lee Wei Yeong in a report released last week. “Many Android-based banking trojans such as BianLian, Cerberus, and TeaBot use BadPack.“