A zero-day security flaw in Telegram’s mobile app for Android, dubbed EvilVideo, was exploited to spread malware disguised as harmless-looking videos. This vulnerability was discovered by ESET researchers and has since been addressed by Telegram, highlighting the importance of swift action in cybersecurity.
Discovery and Exploitation
The EvilVideo exploit was first identified on an underground forum on June 6, 2024, where it appeared for sale. The flaw allowed attackers to use Telegram’s application programming interface (API) to upload malicious Android payloads that appeared as multimedia files. When users clicked on these files, they were shown a warning message stating the video could not be played and suggesting they try an external player. If the user proceeded, they were prompted to install an APK file named “xHamster Premium Mod,” thereby unknowingly downloading malware.
Lukáš Štefanko, a security researcher at ESET, detailed how attackers could share these malicious files via Telegram channels, groups, and chats. The payload was cleverly disguised to exploit Telegram’s multimedia sharing feature, making it appear as a benign 30-second video. This deceptive tactic was facilitated by Telegram’s API, which enabled programmatic uploads of multimedia files to chats and channels.
User Impact and Mitigation
One of the critical aspects of this exploit was its ability to download malware automatically for users who had enabled the automatic download of media files. Štefanko noted, “By default, media files received via Telegram are set to download automatically.” This meant that users with this setting enabled would automatically download the malicious payload upon opening the conversation where it was shared.
Even for users who had disabled automatic downloads, the payload could still be downloaded by tapping the download button accompanying the supposed video. Notably, this attack vector did not affect Telegram clients for the web or the dedicated Windows app, limiting its impact to Android users.
Following the responsible disclosure of the flaw on June 26, Telegram acted quickly to patch the issue. The fix was included in version 10.14.5, released on July 11, 2024. Users are strongly advised to update their Telegram app to the latest version to avoid potential exploitation.
Broader Context of Cyber Threats
The exploitation of the EvilVideo vulnerability is part of a broader trend of cybercriminals targeting popular platforms to distribute malware. In another related incident, cybercriminals capitalized on the popularity of the Telegram-based cryptocurrency game, Hamster Kombat, to spread malicious software.
Hamster Kombat, which launched in March 2024, quickly gained over 250 million players. This rapid growth made it an attractive target for cybercriminals. ESET researchers discovered fake app stores promoting the game, GitHub repositories hosting malware disguised as automation tools, and an unofficial Telegram channel distributing an Android trojan named Ratel.
Ratel, distributed via a Telegram channel named “hamster_easy,” impersonated the game and prompted users to grant it notification access and set it as the default SMS application. Once installed, Ratel contacted a remote server to obtain a phone number and send a Russian language SMS message, likely to the malware operators. This allowed the operators to control the compromised device via SMS, sending messages, making calls, and even checking the victim’s banking account balance.
Continuing Threats and Vigilance
The cybersecurity landscape remains fraught with challenges as cybercriminals continually adapt their tactics. Beyond Telegram, other malicious APK files targeting Android devices have emerged, such as the BadPack malware. These specially crafted package files alter the header information used in the ZIP archive format to obstruct static analysis, preventing crucial files like AndroidManifest.xml from being properly parsed. This technique allows malicious artifacts to be installed without raising red flags.
Kaspersky documented this technique in April 2024 in connection with an Android trojan called SoumniBot, which targeted users in South Korea. Palo Alto Networks’ Unit 42 reported nearly 9,200 BadPack samples in the wild between June 2023 and June 2024, although none were found on the Google Play Store.
Lee Wei Yeong, a researcher at Unit 42, noted, “These tampered headers are a key feature of BadPack, and such samples typically pose a challenge for Android reverse engineering tools.” Many Android-based banking trojans, including BianLian, Cerberus, and TeaBot, have utilized this technique.
Conclusion
The swift resolution of the EvilVideo exploit by Telegram underscores the importance of quick response and collaboration in cybersecurity. Users are urged to remain vigilant, keep their apps updated, and be cautious of suspicious links and downloads. As cyber threats continue to evolve, proactive measures and timely updates are crucial in maintaining a secure digital environment.
Follow us on (Twitter) for real time updates and exclusive content.
Pingback: Critical Vulnerability in Docker Engine Exposes Systems to Auth Bypass Attacks