An Android remote access Trojan (RAT) is using Telegram’s bot functionality to control infected devices, researchers said.
HeroRat malware has been out since August last year and as of March, the RAT’s source code has been available for free on Telegram hacking channels, said researchers at ESET.
Although the source code is free, one of these variants is on a dedicated Telegram channel at three price points, depending on functionality. A support video channel is also available, the security company has discovered.
“It is unclear whether this variant was created from the leaked source code, or if it is the ‘original’ whose source code was leaked,” ESET’s Lukas Stefanko said in a blog post.
HeroRat differs from other Android RATs in that it has been developed from scratch in C#, using the Xamarin framework, Stefanko said. This is a rare combination for Android malware, as previously analyzed Trojans were written in standard Android Java.
The malware author adapted the Telegram protocol to the used programming language. Instead of using the Telegram Bot API as other RATs, the new threat uses Telesharp, a library for creating Telegram bots with C#. All communication to and from the infected devices is performed using the Telegram protocol.
The malware is going out via third-party app stores, social media, and messaging apps.
The malicious program is compatible with all Android versions, but it requires users to grant it a broad range of permissions, sometimes even activating its app as device administrator. Based on these permissions, the threat can then erase all data on the device, lock the screen, change passwords, and change password rules.
After the installation has been completed and the malware is launched, a popup appears (in either English or Persian), claiming the app can’t run and that it is being uninstalled. The victim is then informed the uninstallation has been completed, and the app icon disappears.
The malware, however, continues to run in the background, and the attacker can start using Telegram’s bot functionality to control the newly infected device. A bot operated via the Telegram app controls each compromised device, Stefanko said.
HeroRat can spy on victims and exfiltrate files from the infected devices. It can intercept text messages, steal contacts, send text messages, and make calls, record audio and screen, obtain device location, and control the device’s settings.