Categories: Malware

New Android RAT Spotted in Wild Abusing Telegram Protocol for Command and Control

A new family of Android RAT spotted in wild abusing the Telegram protocol for command & control and data exfiltration.

Attackers distributing the New Android RAT through third-party app stores, social media and messaging apps. The attack primarily focussed on Iran and the attackers distributed the app promising free bitcoins, free internet connections, and additional followers on social media.

The malware runs on all Android versions and it has not been into the play store, security researchers from ESET identified the new malware family and they appear to be spreading from August 2017 and its source code was made available free in Telegram hacking channels last March 2018.

Once the app installed it uses social engineering methods to attain device administrator details and once the installation completed it shows a fake small popup “claiming the app can’t run on the device and will, therefore, be uninstalled.”

But with the fake uninstallation only removes the icon not the app and new victim device registered in attackers server.

The malware contains a range of capabilities including “spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.”

Android RAT dubbed HeroRat’s is divided into categories and sold bronze(25 USD), silver(50 USD) and gold panels (100 USD) respectively and the source code at 600 USD.

It has been developed using Xamarin framework and the malware contains clickable interface in Telegram bot interface, where attackers can control the victim devices by just tapping the button.

The communication between the C&C and the data exfiltrated are transferred through telegram protocol to avoid traffic detection.

Common Defences and Mitigations

  • Give careful consideration to the permission asked for by applications.
  • Download applications from trusted sources.
  • Stay up with the latest version.
  • Encrypt your devices.
  • Make frequent backups of important data.
  • Install anti-malware on their devices.
  • Stay strict with CIA Cycle.
Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

2 days ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago