 |
| Source: ESET. Screen capture of Telegram malware asking for device administration rights. |
Unlike the Telegram-abusing Android RATs previously analysed, which are written in standard Android Java, this newly-discovered malware family has been developed from scratch in C# using the Xamarin framework – a rare combination for Android malware for now.
The way the malware communicates via the Telegram protocol has been adapted to its programming language – instead of the Telegram bot API leveraged by the RATs previously described, this malware family uses Telesharp, a library for creatingTelegram bots with C#.
Investigating what at first seemed like increased activity on the part of the previously reported IRRAT and TeleRAT, ESET has identified an entirely new malware family that has been spreading at least since August 2017.
In March 2018, its source code was made available for free on Telegram hacking channels, and as a result, hundreds of parallel variants of the malware have been circulating in the wild.
One of these variants is different from the rest – despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat. HeroRat is available in three pricing models according to functionality and comes with a support video channel. It is unclear whether this variant was created from the leaked source code, or if it is the “original” whose source code was leaked.
Attackers lure victims into downloading the RAT by spreading it through social engineering and via third-party app stores, social media and messaging apps. Researchers have seen the malware distributed as apps promising free Bitcoin, free Internet connections, and additional followers on social media, mostly in Iran. The malware has not been seen on Google Play.
The malware runs on all Android versions: however, affected users need to accept the permissions required by the app (sometimes including activating the app as device administrator), which is where social engineering comes into play.
After the malware is installed and launched on the victim’s device, a small popup appears, claiming the app cannot run on the device and will be uninstalled. In the variants ESET analysed, the fake uninstall message can be displayed in English or Persian, depending on the target device‘s language settings.
The app’s icon disappears after the fake uninstallation with the device now under the attacker's control.
The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.
Communicating commands to and exfiltrating data from the compromised devices are both conducted entirely via the Telegram protocol – this helps the malware to avoid detection based on traffic to known upload servers.
ESET points out that as the malware’s source code is free, new mutations could be developed and deployed anywhere in the world. "Since the distribution method and form of disguise of this malware varies case by case, checking your device for the presence of any specific applications is not enough to tell if your device has been compromised," the company stated.
ESET suggests scanning devices using a reliable mobile security solution. ESET systems, for example, can detect and block this threat as Android/Spy.Agent.AMS and Android/Agent.AQO.
ESET also suggested using the official Google Play store when downloading apps, and reading user reviews before downloading anything. The permissions requested by apps both before and after installation are also important.
No comments:
Post a Comment