Telegram App Vulnerability Abused to Spread Malware Encrypted in Videos
Telegram App Vulnerability Abused to Spread Malware Encrypted in Videos
An attack could be carried out by malicious files that were disguised as films that appeared to be safe due to a zero-day security hole that was present in the EvilVideo mobile app for Android, which is used by Telegram.
According to ESET, the exploit was first made available for purchase in an underground forum on June 6, 2024, for an amount that was not specified. As a result of the responsible disclosure that took place on June 26, Telegram rectified the vulnerability in version 10.14.5, which was eventually released on July 11.
A study was written by Lukáš Štefanko, a security researcher, which stated that malicious Android payloads could be shared by attackers over Telegram channels, groups, and chat and that these payloads may be disguised as multimedia files.
Using Telegram’s Application Programming Interface (API), which enables programmatic uploads of multimedia files to conversations and channels, it is thought that the payload is crafted. This capability allows for the uploading of multimedia files. Consequently, it makes it possible for an adversary to conceal a malicious APK file by making it appear as a thirty-second film.
When a user clicks on the video, they are presented with a warning box that states the video cannot be played and encourages them to attempt to view it using an external player. In the event that they choose to proceed with the process, they will then be requested to grant permission for the installation of the APK file for Telegram. This particular application is known by its name, “xHamster Premium Mod.”
“By default, media files received via Telegram are set to download automatically,” a spokesperson stated. “This means that users with the option enabled will automatically download the malicious payload once they open the conversation where it was shared.”
Although it is possible to disable this option manually, the payload can still be downloaded by hitting the download button that is located next to the video that is supposed to be playing. Noting that the attack does not work on Telegram clients for the web or the specialized Windows app is something that should be taken into consideration.
At this time, it is not known who is responsible for the exploit or how widespread its use was in attacks that took place in the real world. The same person, on the other hand, advertised in January 2024 a completely undetectable Android crypter, also known as a cryptor, which is rumored to be able to circumvent Google Play Protect.
Hamster Kombat’s Viral Success Spawns Malicious Copycat
ESET discovered fake app stores that promoted the app, GitHub repositories that hosted Lumma Stealer for Windows under the guise of automation tools for the game, and an unofficial Telegram channel that is used to distribute an Android trojan called Ratel. This development comes at a time when cybercriminals are attempting to profit from the utilization of the cryptocurrency game Hamster Kombat, which is based on Telegram.
According to the producer of the game, the popular game, which was released in March of 2024, is anticipated to have more than 250 million players. The Chief Executive Officer of Telegram, Pavel Durov, has referred to Hamster Kombat as the “fastest-growing digital service in the world.” He also stated that “Hamster’s team will mint its token on TON,” which would introduce the advantages of blockchain technology to hundreds of millions of people.
Ratel, which is made available through a Telegram channel called “hamster_easy,” is intended to spoof the game (which is referred to as “Hamster.apk”) and asks users to enable its notification access and configure itself as the default SMS application. After that, it makes contact with a remote server in order to obtain a phone number as a response.
In the subsequent phase, the malicious software will send a text message in Russian to the phone number that is most likely associated with the malware operators. The purpose of this message is to obtain additional instructions by text message.
“The threat actors then become capable of controlling the compromised device via SMS: The operator message can contain a text to be sent to a specified number, or even instruct the device to call the number,” according to ESET researchers. “The malware is also able to check the victim’s current banking account balance for Sberbank Russia by sending a message with the text баланc (translation: balance) to the number 900.”
Because of a hard-coded list that is integrated within it, Ratel takes advantage of its notification access capabilities in order to conceal notifications from at least 200 different applications. It is believed that this is being done in an effort to subscribe the victims to a variety of premium services and prevent them from being notified of the situation.
The cybersecurity company from Slovakia reported that it had also discovered bogus application marketplaces that claimed to offer Hamster Kombat for download but really sent users to advertisements that they did not wish to see. Additionally, the company discovered GitHub repositories that offered Hamster Kombat automation tools but instead deployed Lumma Stealer.
“The success of Hamster Kombat has also brought out cybercriminals, who have already started to deploy malware targeting the players of the game,” the authors of the article claimed. “Hamster Kombat’s popularity makes it ripe for abuse, which means that it is highly likely that the game will attract more malicious actors in the future.”
BadPack Android Malware Slips Through the Cracks
In addition to Telegram, malicious APK files that target Android devices have also taken the shape of BadPack. BadPack is a term that refers to specially made package files in which the header information that is utilized in the ZIP archive format has been altered in an effort to obstruct static analysis.
By doing so, the goal is to prevent the AndroidManifest.xml file, which is an important file that gives key information about the mobile application, from being extracted and properly parsed. This will make it possible for malicious components to be installed without causing any red flags to be raised.
At the beginning of April of this year, Kaspersky conducted considerable research and documentation on this method in relation to an Android malware known as SoumniBot, which has been targeting consumers in South Korea. Nearly 9,200 BadPack samples have been spotted in the wild, according to the telemetry data collected by Palo Alto Networks Unit 42 between June 2023 and June 2024. However, none of these samples have been discovered on the Google Play Store.
“These tampered headers are a key feature of BadPack, and such samples typically pose a challenge for Android reverse engineering tools,” stated Lee Wei Yeong, a researcher at Unit 42, in a paper that was published the previous week. “Many Android-based banking Trojans like BianLian, Cerberus, and TeaBot use BadPack.”
Update
In a statement that was distributed to The Hacker News, Telegram stated that the exploit does not constitute a vulnerability in the platform. Additionally, the company announced that it has implemented a server-side remedy on July 9, 2024, in order to protect its users.
A statement made by the business emphasized that the exploit only offers a security risk when users install the software after overcoming the security feature. “It would have required users to open the video, adjust Android safety settings, and then manually install a suspicious-looking ‘media app’,” the company claimed.
According to Google, Android smartphone users are automatically protected against trojans by means of Google Play Protect, which is turned on by default on all devices that are equipped with Google Play Services. “Google Play Protect can warn users or block apps considered to exhibit malicious behavior, even when those apps come from sources outside of Play,” it stated in its announcement.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
READ MORE ARTICLE HERE
A Security Firm has Discovered that a Remote Employee is a North Korean Hacker
An Elderly from Bengaluru Duped of ₹1.2 crore After Receiving a Fake Call from a Fake Telecom Department Officer
WazirX, the Famous Crypto Exchange, Offering ₹180 Crores Hefty Bounty After the Major Cyberattack On Its Server
About Author
English