A significant security issue, dubbed EvilVideo, was discovered in Telegram’s Android app. This flaw allowed attackers to send harmful files disguised as seemingly harmless videos.

Discovery and Resolution Timeline

On June 6, 2024, the exploit was listed for sale on an underground forum for an undisclosed price, as reported by ESET. After a responsible disclosure on June 26, Telegram addressed the issue in version 10.14.5, released on July 11.

You might be interested in: Managed Detection and Response (MDR): What is it?

How the Exploit Works

According to security researcher Lukáš Štefanko, attackers could use Telegram channels, groups, and chats to distribute malicious Android payloads masquerading as multimedia files. The payload was likely crafted using Telegram’s API, which supports programmatic uploads of multimedia files to chats and channels, enabling an attacker to disguise a malicious APK file as a short video.

When users clicked on the video, they received a warning that the video could not be played and were advised to try an external player. If they proceeded, they would be prompted to approve the installation of the APK file via Telegram. The malicious application was named “xHamster Premium Mod.”

Automatic Downloads and Security Risks

Štefanko noted that media files received via Telegram are set to download automatically by default. This means users with this setting enabled would automatically download the malicious payload upon opening the conversation where it was shared. Even if the automatic download is disabled, the payload could still be downloaded by pressing the download button next to the video. This attack does not affect Telegram’s web clients or the native Windows app.

Unknown Attacker and Previous Exploits

The identity of the exploit’s creator and the extent of its real-world usage remain unclear. However, the same attacker offered an undetectable Android crypter in January 2024, claiming it could bypass Google Play Protect.

Hamster Kombat and Malicious Copycats

The success of the Telegram-based cryptocurrency game Hamster Kombat has led to malicious imitations. ESET found fake app stores promoting the game, GitHub repositories hosting Lumma Stealer under the guise of game automation tools, and an unofficial Telegram channel distributing an Android trojan called Ratel.

Details of the Hamster Kombat Game and Ratel Malware

Hamster Kombat, launched in March 2024, reportedly has over 250 million players. Telegram CEO Pavel Durov described it as the “fastest-growing digital service in the world” and announced plans to mint its token on TON, integrating blockchain benefits for millions.

Ratel, distributed via the Telegram channel “hamster_easy,” mimics the game and prompts users to grant notification access and set it as the default SMS app. The malware contacts a remote server to obtain a phone number, then sends a Russian-language SMS to that number for further instructions. This enables attackers to control the compromised device via SMS, including sending texts, making calls, and checking bank account balances for Sberbank Russia.

Ratel also hides notifications from over 200 apps, likely to subscribe victims to premium services without their knowledge. ESET discovered fake app stores claiming to offer Hamster Kombat but redirecting users to ads and GitHub repositories deploying Lumma Stealer instead.

Future Threats and Security Concerns

The popularity of Hamster Kombat has attracted cybercriminals, leading to the deployment of malware targeting the game’s players. This trend is expected to continue, making the game a prime target for malicious actors.

BadPack Android Malware

Beyond Telegram, a new type of malicious APK file called BadPack has emerged, using altered ZIP archive headers to evade static analysis. This technique prevents the AndroidManifest.xml file, which contains essential app information, from being properly extracted and analyzed. Kaspersky highlighted this method in April in connection with the SoumniBot trojan, which targeted South Korean users. Palo Alto Networks Unit 42 found over 9,200 BadPack samples in the wild from June 2023 to June 2024, though none were found on the Google Play Store. These tampered headers pose a significant challenge for Android reverse engineering tools and are commonly used in banking trojans like BianLian, Cerberus, and TeaBot.

By understanding these vulnerabilities and the methods attackers use, users and developers can better protect their devices and applications from similar threats in the future.