HeroRat Controls Infected Android Devices via Telegram

A newly detailed Android remote access Trojan (RAT) is leveraging Telegram’s bot functionality to control infected devices, ESET reveals.

Dubbed HeroRat, the malware has been spreading since at least August 2017. As of March 2018, the Trojan’s source code has been available for free on Telegram hacking channels, resulting in hundreds of variants emerging in attacks.

Although the source code is available for free, one of these variants is being sold on a dedicated Telegram channel at three price points, depending on functionality. A support video channel is also available, the security company has discovered.

“It is unclear whether this variant was created from the leaked source code, or if it is the ‘original’ whose source code was leaked,” ESET’s Lukas Stefanko notes in a blog post.

HeroRat differs from other Telegram-abusing Android RATs in that it has been developed from scratch in C#, using the Xamarin framework, Stefanko says. This is a rare combination for Android malware, as previously analyzed Trojans were written in standard Android Java.

Moreover, the malware author has adapted the Telegram protocol to the used programming language. Instead of using the Telegram Bot API as other RATs, the new threat uses Telesharp, a library for creating Telegram bots with C#. All communication to and from the infected devices is performed using the Telegram protocol.

The new malware is being distributed via third-party app stores, social media, and messaging apps, in various appealing guises (apps promising free Bitcoins, free Internet, and more followers on social media), mostly in Iran.

The malicious program is compatible with all Android versions, but it requires users to grant it a broad range of permissions, sometimes even activating its app as device administrator. Based on these permissions, the threat can then erase all data on the device, lock the screen, change passwords, and change password rules.

After the installation has been completed and the malware is launched, a popup appears (in either English or Persian), claiming that the app can’t run and that it is being uninstalled. The victim is then informed the uninstallation has been completed, and the app icon disappears.

The malware, however, continues to run in the background, and the attacker can start using Telegram’s bot functionality to control the newly infected device. A bot operated via the Telegram app controls each compromised device, Stefanko says.

HeroRat can spy on victims and exfiltrate files from the infected devices. It can intercept text messages, steal contacts, send text messages, and make calls, record audio and screen, obtain device location, and control the device’s settings.

These capabilities are accessible through clickable buttons in the Telegram bot interface, making it very easy for attackers to control victimized devices.

The malware author has put for sale bronze, silver, and gold panels, offered at $25, $50, and $100, respectively. The malware’s source code, on the other hand, is available at $650, offered by HeroRat’s (ambitious) author themselves.

“With the malware’s source code recently made available for free, new mutations could be developed and deployed anywhere in the world,” Stefanko notes.

“To avoid falling victim to Android malware, stick to the official Google Play store when downloading apps, make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation,” the researcher concludes.

Related: Android Trojan Leverages Telegram for Data Exfiltration

Related: New TelegramRAT Exploits Recently Patched Office Vulnerability