Lookout Coverage and Recommendation for Admins

Lookout will detect the vulnerability as EvilVideo and the final payload as CypherRAT. However, since this seems to only affect out-of-date versions of Telegram before 10.14.5, Lookout admins can do the following to proactively protect their users:

• Ensure that the Application Vulnerability policy, which will detect when a vulnerable app version is on the device, is turned on. Depending on your organization’s risk policies, you can choose the severity and whether to alert the device or block their access to corporate data until the malicious app is uninstalled.
• Ensure that all application malware policies are enabled with high severity and set to block access to corporate data until the malware is uninstalled.

Overview 

Researchers at ESET recently disclosed their discovery of a zero-day vulnerability in the Telegram app for Android that attackers can exploit by sending the user malicious files posing as videos. Telegram, like most messaging apps, has a default setting that will download a file automatically upon receipt so the end user can view it instantly without waiting for it to load. This setting enables attackers to exploit the vulnerability in Telegram as it automatically downloads the payload in the fake video file. 

If the user tries to play the video, Telegram will throw a standard message that it cannot play that video type and eventually asks the user if they would like to install an app to view it. The app that they’re asked to download is the malicious payload.

Lookout Analysis

Lookout will detect the payload as CypherRAT, which is built on SpyNote, a commodity spyware tool for Android that is used broadly across the mobile threat landscape. In fact, it was one of the top 10 most encountered malware families in the first quarter of 2024 according to our Q1 Mobile Threat Landscape Report.  SpyNote is capable of stealing sensitive data off the infected device including location, passwords, call logs, SMS messages, and external storage. It also requests access to the device’s camera and microphone and can examine web browsing behavior. 

Since commodity mobile malware is so readily available, there has been an increase in smaller scale cybercrime groups or lone wolf actors being able to execute more advanced campaigns. However, since commodity malware is shared so widely across other malware families, Lookout customers can rest assured that they’re protected. With the world’s largest AI-driven mobile security dataset, Lookout has detected countless samples of commodity malware like SpyNote being used in other malware that is developed every day. These detections enable automated protection against invasive malware for all Lookout customers.

‍