IntelEye

Blog

Back

Telegram Manipulation Leads To Android Malware

Shay M

July 18, 2024

In recent days, cybersecurity researchers have found a way to spread malware through Android devices by manipulating the file extensions on Telegram messaging app.

When the victim receives the file, he sees a regular video with an mp4 extension.
Before opening the file for the first time, the device automatically recognizes the .apk extension and prompts the user to install the application, and if the user agrees or doesn’t have sufficient security measures on his phone, once he attempts to open the video, the malware installation will initiate as a background process.

Once the malware is installed, it asks for various permissions such as access to saved contacts, SMS messages, camera, microphone, and all of the saved files on the device.
Some of the advanced malware versions can even exploit Android’s accessibility services to grant itself higher privileges without user consent.

The malware performs a wide range of malicious actions, such as monitoring and exfiltrating messages, call logs, and personal data, stealing credentials for financial services, propagating itself by sending similar malicious files to contacts, and allowing the attacker to remotely control the device and perform actions on the victim’s behalf.

How The Malware Works

The attacker creates a malicious Android package file (the standard format used to distribute and install applications on Android devices), and the malware is disguised as a legitimate video file with the extension .mp4.

The malicious file is renamed with a double extension, as the .mp4 makes the user believe this is a normal video file and the .apk extension ensures the file remains executable Android application package.
On some devices, only the first extension, which is .mp4 might be visible, tricking the user to think he is opening a video file.

The attackers use Telegram file extension capabilities and the platform itself to spread the malicious file, and different versions of the malware already being offered to sell in the deep and the dark web, closed Telegram hacking groups, and crime forums.