Telegram was named the favorite messenger of carders

[Carding Forum]

In the first half of 2024, the most popular services for hackers to communicate with were the Telegram messenger and private messages on darknet forums. About this " Newspaper.Ru " said the head of BI.ZONE Brand Protection Dmitry Kiryushkin.

"From January 1 to June 24, 2024, attackers most often used Telegram and private messages on forums to communicate. During this period, there were more than 66,000 mentions of Telegram and more than 22,000 mentions of personal messages on communication forums, " the expert specified.

Telegram has gained popularity among hackers due to its wide audience – about 900 million users per month. This, as Kiryushkin explained, allows scammers to quickly find potential victims and interact with them.

In addition, criminals prefer services that have already established themselves as reliable and secure. In addition, Telegram is simply a convenient communication tool.

In addition to Telegram, the specialist added, hackers often use Tox, Jabber and Discord. The choice of service depends on the attacker's goals and the desired level of anonymity and security.

Previously, "Gazeta.Ru" wrote about why hackers fell in love with the ICQ messenger, which stopped working on June 26.

 

[Carding Forum]

ESET experts spoke about the zero-day vulnerability in Telegram for Android, called EvilVideo. The problem allowed attackers to send malicious APKs disguised as video files to users.

According to researchers, a hacker under the nickname Ancryno began selling an exploit for this 0-day problem on June 6, 2024. In his post on the XSS hack forum, he wrote that the bug is present in Telegram for Android version 10.14.4 and older.

Although the attacker initially claimed that the exploit was of the one-click type (that is, it works in one click and requires minimal human interaction), in fact, a number of steps and certain settings were required to execute the malicious payload on the victim's device, which significantly reduced the risk of a successful attack.

ESET specialists were able to detect the problem after a PoC demonstration of the vulnerability was published in the public Telegram channel, which allowed them to receive a malicious payload.

According to the company's report, the exploit actually works only in Telegram version 10.14.4 and older. ESET analyst Lukas Stefanko notified Telegram developers about the problem on June 26 and again on July 4, 2024. Soon after, Telegram representatives responded that they were studying the researchers ' message, and then fixed the vulnerability in version 10.14.5, released on July 11, 2024.

Although it is not known whether this problem was used in real attacks, ESET found at the address infinityhackscharan. ddns[.] net control server that was used by the payload mentioned above. In addition, according to the publication Bleeping Computer, VirusTotal managed to find two malicious APK files that use this control server. The detected apps were posing as Avast Antivirus or xHamster Premium Mod.

The EvilVideo vulnerability allowed attackers to create special APK files that looked like embedded videos when sent to other Telegram users.

Researchers believe that the exploit used the Telegram API to create a message at the software level that looked like a 30-second video. Since Telegram for Android automatically downloads media files by default, users received a payload on their device as soon as they opened the conversation. If automatic downloading was disabled, the user had to click on the preview to initiate downloading the file.

When a user tried to play a fake video, Telegram reported that it could not open the video and suggested using an external player, which could have prompted the victim to click on the "Open" button and perform the payload.

However, the next step required an additional step that seriously reduced the effectiveness of such attacks: the victim had to manually allow the installation of applications from unknown sources in the settings so that the malicious APK could be installed on the device.

ESET experts note that they tested the exploit in the Telegram web client and Telegram for desktops and found that it does not work there, since the payload is perceived as a video file in MP4 format.

In the corrected version of Telegram for Android (10.14.5), APK files are also displayed correctly, and you will no longer be able to pass them off as videos.

• Video:

• Source: https://www.welivesecurity.com/en/e...ing-evilvideo-vulnerability-telegram-android/