A zero-day safety flaw in Telegram’s cellular app for Android referred to as EvilVideo made it doable for attackers to malicious recordsdata disguised as harmless-looking movies.
The exploit appeared on the market for an unknown value in an underground discussion board on June 6, 2024, ESET stated. Following accountable disclosure on June 26, the problem was addressed by Telegram in model 10.14.5 launched on July 11.
“Attackers may share malicious Android payloads through Telegram channels, teams, and chat, and make them seem as multimedia recordsdata,” safety researcher Lukáš Štefanko stated in a report.
It is believed that the payload is concocted utilizing Telegram’s software programming interface (API), which permits for programmatic uploads of multimedia recordsdata to chats and channels. In doing so, it allows an attacker to camouflage a malicious APK file as a 30-second video.
Customers who click on on the video are displayed an precise warning message stating the video can’t be performed and urges them to strive taking part in it utilizing an exterior participant. Ought to they proceed with the step, they’re subsequently requested to permit set up of the APK file via Telegram. The app in query is known as “xHamster Premium Mod.”
“By default, media recordsdata obtained through Telegram are set to obtain mechanically,” Štefanko stated. “Which means customers with the choice enabled will mechanically obtain the malicious payload as soon as they open the dialog the place it was shared.”
Whereas this selection might be disabled manually, the payload can nonetheless be downloaded by tapping the obtain button accompanying the supposed video. It is price noting that the assault doesn’t work on Telegram shoppers for the online or the devoted Home windows app.
It is at the moment not clear who’s behind the exploit and the way broadly it was utilized in real-world assaults. The identical actor, nevertheless, marketed in January 2024 a completely undetectable Android crypter (aka cryptor) that may reportedly bypass Google Play Shield.
Hamster Kombat’s Viral Success Spawns Malicious Copycat
The event comes as cyber criminals are capitalizing on the Telegram-based cryptocurrency sport Hamster Kombat for financial acquire, with ESET discovering faux app shops selling the app, GitHub repositories internet hosting Lumma Stealer for Home windows below the guise of automation instruments for the sport, and an unofficial Telegram channel that is used to distribute an Android trojan referred to as Ratel.
The favored sport, which launched in March 2024, is estimated to have greater than 250 million gamers, based on the sport developer. Telegram CEO Pavel Durov has referred to as Hamster Kombat the “fastest-growing digital service on this planet” and that “Hamster’s workforce will mint its token on TON, introducing the advantages of blockchain to a whole bunch of hundreds of thousands of individuals.”
Ratel, provided through a Telegram channel named “hamster_easy,” is designed to impersonate the sport (“Hamster.apk”) and prompts customers to grant it notification entry and set itself because the default SMS software. It subsequently initiates contact with a distant server to get a telephone quantity as response.
Within the subsequent step, the malware sends a Russian language SMS message to that telephone quantity, possible belonging to the malware operators, to obtain extra directions over SMS.
“The risk actors then grow to be able to controlling the compromised machine through SMS: The operator message can include a textual content to be despatched to a specified quantity, and even instruct the machine to name the quantity,” ESET stated. “The malware can also be in a position to examine the sufferer’s present banking account stability for Sberbank Russia by sending a message with the textual content баланс (translation: stability) to the quantity 900.”
Ratel abuses its notification entry permissions to cover notifications from a minimum of 200 apps primarily based on a hard-coded checklist embedded inside it. It is suspected that that is being carried out in an try and subscribe the victims to numerous premium companies and stop them from being alerted.
The Slovakian cybersecurity agency stated it additionally noticed faux software storefronts claiming to supply Hamster Kombat for obtain, however really directs customers to undesirable adverts, and GitHub repositories providing Hamster Kombat automation instruments that deploy Lumma Stealer as an alternative.
“The success of Hamster Kombat has additionally introduced out cybercriminals, who’ve already began to deploy malware focusing on the gamers of the sport,” Štefanko and Peter Strýček stated. “Hamster Kombat’s reputation makes it ripe for abuse, which implies that it’s extremely possible that the sport will appeal to extra malicious actors sooner or later.”
BadPack Android Malware Slips By way of the Cracks
Past Telegram, malicious APK recordsdata focusing on Android gadgets have additionally taken the type of BadPack, which seek advice from specifically crafted package deal recordsdata through which the header data used within the ZIP archive format has been altered in an try and hinder static evaluation.
In doing so, the concept is to forestall the AndroidManifest.xml file – a vital file that gives important details about the cellular software – from being extracted and correctly parsed, thereby permitting malicious artifacts to be put in with out elevating any purple flags.
This method was extensively documented by Kaspersky earlier this April in reference to an Android trojan known as SoumniBot that has focused customers in South Korea. Telemetry information gathered by Palo Alto Networks Unit 42 from June 2023 via June 2024 has detected practically 9,200 BadPack samples within the wild, though none of them have been discovered on Google Play Retailer.
“These tampered headers are a key function of BadPack, and such samples usually pose a problem for Android reverse engineering instruments,” Unit 42 researcher Lee Wei Yeong stated in a report printed final week. “Many Android-based banking Trojans like BianLian, Cerberus and TeaBot use BadPack.”