A new family of Android RAT spotted in wild abusing the Telegram protocol for command & control and data exfiltration.
Attackers distributing the New Android RAT through third-party app stores, social media and messaging apps. The attack primarily focussed on Iran and the attackers distributed the app promising free bitcoins, free internet connections, and additional followers on social media.
The malware runs on all Android versions and it has not been into the play store, security researchers from ESET identified the new malware family and they appear to be spreading from August 2017 and its source code was made available free in Telegram hacking channels last March 2018.
Once the app installed it uses social engineering methods to attain device administrator details and once the installation completed it shows a fake small popup “claiming the app can’t run on the device and will, therefore, be uninstalled.”
But with the fake uninstallation only removes the icon not the app and new victim device registered in attackers server.
The malware contains a range of capabilities including “spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.”
Android RAT dubbed HeroRat’s is divided into categories and sold bronze(25 USD), silver(50 USD) and gold panels (100 USD) respectively and the source code at 600 USD.
It has been developed using Xamarin framework and the malware contains clickable interface in Telegram bot interface, where attackers can control the victim devices by just tapping the button.
The communication between the C&C and the data exfiltrated are transferred through telegram protocol to avoid traffic detection.
Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…
Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…
The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in Central…
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India,…
Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade detection…
Critical infrastructure, the lifeblood of modern society, is under increasing threat as a new report…