Eset researchers have discovered a new strain of Android RAT named HeroRat which abuses the Telegram protocol for command and control, and data exfiltration.
According to researchers, the new malware has been spreading since at least August 2017 and in March 2018 source code was made available free on various Telegram hacking channel.
The malware is spread through third-party app stores disguised as social media and messaging apps.
Once the malware is installed, a small popup appears claiming the app can’t be installed on the device and will be uninstalled. An uninstallation process will be shown, and app’s icon will also disappear
Here the attacker tricks the user with the uninstallation process. However, at the same time, the malware has already infected the device.
After gaining access to victim’s device, the attacker leverages the Telegram bot functionality to control the victim’s device. The infected device is set up and operated by the attacker using the Telegram and controlled using a bot.
The HeroRat is capable of spying and file exfiltration which includes intercepting text messages and contacts, making calls, sending text messages, audio and screen recording, extract device location, control infected device settings.
The attackers offer three packages for the malware depending on the features, bronze $25, silver $50 and gold panels $100. The author also offers the source code of the malware for 650 USD.
“The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating.” said in the post published ESET researchers.
Unlike other Android RATs which are written in Android Java, HeroRat is developed from scratch in C# using the Xamarin framework.
The malware infects all Android versions and was seen mostly distributed in Iran as apps promising free bitcoins, free internet connections, and additional followers on social media.
Always follow these basic steps to prevent your smartphone from infection:
- Always switch off “Allow installation from unknown sources” in security settings thereby restricting download apps from a third party and anonymous sources.
- Don’t download attachments from unknown sources.
- Always Use google play store to install apps, don’t use any third party app stores.
- Download apps from verified developers and check their app rating and download counts before installing an app.
- Verify app permission before installing an app.
- Install the best and updated antivirus/anti-malware software which can detect and block these type of malware.
- Always keep play protection ON
- Always keep your device OS and apps up to date.