A zero-day security vulnerability in Telegram’s Android mobile app, EvilVideo, could allow attackers to send malicious files disguised as harmless-looking videos.
According to ESET, the exploit was sold for an unknown price on underground forums on June 6, 2024. Following responsible disclosure on June 26, the issue was fixed by Telegram in version 10.14.5, released on July 11.
“Attackers can share malicious Android payloads via Telegram channels, groups, and chats, disguising them as multimedia files,” security researcher Lukas Štefanko said in the report.
The payload is believed to have been created using Telegram’s application programming interface (API), which allows for programmatic uploading of multimedia files to chats and channels, allowing attackers to disguise the malicious APK file as a 30-second video.
Users who click on the video are shown a warning message stating that the video cannot be played and are prompted to play it using an external player. If they continue with this process, they are then asked to allow the installation of an APK file via Telegram. The app in question is named “xHamster Premium Mod.”
“By default, media files received via Telegram are set to be downloaded automatically,” Štefanko said, “which means that users who have enabled this option will have their malicious payload downloaded automatically if they open a conversation in which it was shared.”
This option can be manually disabled, but the payload can still be downloaded by tapping the download button that accompanies the supposed video. It is important to note that this attack does not work on the Telegram client for the web or on the dedicated Windows app.
At this time, it’s unclear who is behind this exploit or how widely it’s been used in real-world attacks, but the same attackers advertised a completely undetectable Android Crypter (aka Cryptor) in January 2024 that was purportedly able to circumvent Google Play Protect.
Hamster Combat’s viral success spawns vicious copycats
The move comes as cybercriminals are using the Telegram-based cryptocurrency game Hamster Combat for financial gain: ESET has discovered fake app stores promoting the app, a GitHub repository hosting the Lumma Stealer for Windows disguised as a game automation tool, and unofficial Telegram channels used to distribute the Ratel Android Trojan.
The popular game, which was released in March 2024, is estimated to have more than 250 million players, according to game developers. Telegram CEO Pavel Durov called Hamster Combat “the fastest-growing digital service in the world” and said, “The Hamster team will issue tokens on TON to introduce hundreds of millions of people to the benefits of blockchain.”
Delivered through the “hamster_easy” Telegram channel, Ratel is designed to disguise itself as a game (“Hamster.apk”) and prompt the user to grant notification access and set itself as the default SMS application, after which it initiates a connection with a remote server and obtains a phone number in response.
In the next step, the malware sends an SMS message in Russian to a phone number, presumably belonging to the malware operators, and receives further instructions via SMS.
“The threat actor then gains control over the compromised device via SMS. The operator’s message can include a text to send to a specific number or even instruct the device to call that number,” ESET said. “The malware can also check the victim’s current bank account balance with Sberbank Russia by sending a message containing the text баланс (translation: balance) to a 900 number.”
Ratel abuses notification permissions to hide notifications from over 200 apps based on an embedded, hardcoded list, suspected to be done in order to trick victims into subscribing to various premium services and avoid receiving warnings.
The Slovakian cybersecurity firm said it had also found fake application stores claiming to offer Hamster Kombat downloads but actually directing users to unwanted advertisements, as well as GitHub repositories offering Hamster Kombat automation tools that instead deploy the Lumma Stealer.
“Hamster Combat’s success has also attracted cybercriminals, who have already begun deploying malware targeting the game’s players,” Štefanko and Peter Stryczek said. “Hamster Combat’s popularity creates an environment that is open to exploitation, and it is very likely that the game will attract even more bad actors in the future.”
BadPack Android malware slips through the cracks
Beyond Telegram, malicious APK files targeting Android devices come in the form of BadPack, which refers to specially crafted package files in which the header information used by the ZIP archive format has been modified to thwart static analysis.
The idea is that by doing so, the AndroidManifest.xml file – a critical file that provides important information about a mobile application – is prevented from being extracted and properly parsed, allowing malicious artifacts to be installed without any warning.
This technique was documented in detail by Kaspersky in early April this year in relation to an Android Trojan called SoumniBot that targeted users in South Korea. Telemetry data collected by Palo Alto Networks Unit 42 from June 2023 to June 2024 found approximately 9,200 BadPack samples in the wild, but none on the Google Play Store.
“Malformed headers are a key feature of BadPack, and such samples usually pose a challenge for Android reverse engineering tools,” Unit 42 researcher Lee Wei Yeong wrote in a report published last week. “Many Android-based banking Trojans, such as BianLian, Cerberus, and TeaBot, use BadPack.”
