Recently, security researchers have found the HeroRat malware which affects Telegram and other messaging apps. Read on to know more about the Herorat malware…
Android users have been warned of a new strain of Android RAT which can spy on you and record what you’re doing at every moment. The malware named as HeroRat was discovered by security experts at ESET leverages Telegram protocol for command and control, and data exfiltration. HeroRat isn’t the first malware abusing Telegram protocol, past investigation reported similar threats like TeleRAT and IRRAT. The new malware Herorat has been in the wild at least since August 2017 and in March 2018 its source code was released for free on Telegram hacking channels allowing various threat actors to create their own variant.
HeroRat is quite different from other variants that borrowed the source code. HeroRat is the first Telegram-based malware developed from scratch in C# using the Xamarin framework, previous ones were written in Java. The RAT leverages Telesharp library for creating Telegram bots with C#.
The malware tries to trick victims into downloading it with lofty promises and can carry out a wide range of surveillance tasks such as intercepting text messages as well as audio and screen recording. HeroRat can also control a device’s settings, obtain a user’s location as well as make calls and tap into your contacts.
It poses as an application that can allegedly offer victims free Bitcoin, more social media followers or free internet connections. Once downloaded it then leverages the bot functionality of the hugely popular Telegram app to control the device.
Currently, Telegram has 200 million monthly users.
“One of these variants is different from the rest – despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat.” reads the analysis published by ESET.
“It is available in three pricing models according to functionality, and comes with a support video channel. It is unclear whether this variant was created from the leaked source code, or if it is the “original” whose source code was leaked.”
The malware is spread through different channels, it is spread third-party app stores through disguised as social media and messaging apps.
The apps analyzed by ESET shows a strange behavior, after the malware is installed and launched on the victim’s device, it displays a small popup claiming the application can’t run on the device and for this reason, it will be uninstalled.
Once the uninstallation is seemingly completed, the icon associated with the app disappears, unfortunately, the attacker has already obtained the control of the victim’s device.
The attacker leverages the Telegram bot functionality to control the infected device, the malware is able to execute a broad range of commands such as data exfiltration and audio/video recording.
“The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.“continues the analysis.
In a blog post outlining how the malware works, ESET researcher Lukas Stefanko wrote “Having gained access to the victim’s device, the attacker then leverages Telegram’s bot functionality to control the newly listed device.” He noted “Each compromised device is controlled via a bot, set up and operated by the attacker using the Telegram app.”
“The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.”
Stefanko added “The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface.”. He added “Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating.”
The ESET malware researcher added that the malware has not been seen on the Google Play Store and so far has mainly been distributed in Iran.
With the HeroRat malware’s source code recently made available for free, new mutations could be developed and deployed anywhere in the world. Since the distribution method and form of disguise of this malware varies case by case, checking your mobile device for the presence of any specific applications is not enough to tell if your device has been compromised. If you have reason to believe your device has been compromised by this malware, scan it using a reliable mobile security solution. ESET systems detect and block this threat as Android/Spy.Agent.AMS and Android/Agent.AQO.
ESET researcher Lukas Stefanko notes that “To avoid falling victim to Android malware, stick to the official Google Play store when downloading apps, make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation.”