Analysis Summary

A zero-day security flaw in Telegram's Android mobile app, dubbed EvilVideo, was identified on June 6, 2024. This vulnerability allowed attackers to distribute malicious files disguised as harmless videos via Telegram channels groups, and chats.

The exploit was for sale on an underground forum before being disclosed to Telegram on June 26, 2024. Telegram addressed the issue in version 10.14.5 released on July 11, 2024. Security researchers described how attackers used Telegram's API to disguise malicious APK files as 30-second videos, tricking users into installing malware named "xHamster Premium Mod."

The attack leveraged Telegram's default media auto-download setting, meaning that users automatically downloaded the malicious payload upon opening a conversation where it was shared. Even if this setting was disabled, users could still manually download the payload. The exploit did not affect Telegram's web or Windows clients. The identity and reach of the attackers remain unknown but the same actor had previously advertised an undetectable Android crypter capable of bypassing Google Play Protect.

The popularity of the Telegram-based cryptocurrency game Hamster Kombat which launched in March 2024 and has over 250 million players has led to various malicious activities. Cybercriminals are promoting fake app stores, GitHub repositories, and unofficial Telegram channels to distribute malware. One such malware, Ratel, disguised as "Hamster.apk," requests extensive permissions and communicates with a remote server for further instructions. It hides notifications from numerous apps to prevent users from detecting its malicious activities.

In addition to Telegram-based threats, malicious APK files targeting Android devices have emerged as BadPack characterized by altered ZIP archive headers to obstruct static analysis. This technique prevents crucial files from being extracted and analyzed allowing malicious software to evade detection. BadPack has been associated with various banking trojans like BianLian, Cerberus, and TeaBot. Telemetry data has identified nearly 9,200 BadPack samples from June 2023 to June 2024, though none were found on Google Play Store.

The increasing sophistication of these attacks highlights the growing threat to Android users. With the success of popular platforms like Hamster Kombat, cybercriminals are continually developing new methods to exploit users. This trend underscores the importance of heightened security measures timely software updates and user awareness to mitigate the risks posed by these evolving threats.

Impact

• Sensitive Data Theft
• Security Bypass
• Financial Loss
• Unauthorized Access

Indicators of Compromise

SHA1

• f159886dcf9021f41eaa2b0641a758c4f0c4033d

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure you have the latest version of Telegram (version 10.14.5 or later) to protect against the EvilVideo exploit.
• Manually disable the auto-download feature for media files in Telegram settings to prevent the automatic downloading of malicious payloads.
• Avoid following prompts to open videos with external players, especially from untrusted sources.
• Only download and install apps or multimedia files from trusted and verified sources, and be cautious of files shared through social media and messaging apps.
• Use reputable antivirus or anti-malware software to regularly scan your device for any malicious files or applications.
• Keep yourself updated with the latest security advisories and follow recommended practices from cybersecurity firms and app developers.
• Raise awareness about potential security threats and safe practices among peers and family members.
• If you encounter suspicious files or activities, report them to the respective app support teams and cybersecurity authorities.
• Regularly review and manage app permissions to ensure no unnecessary access is granted to potentially harmful apps.