Android Malware HeroRat Abuses Telegram For Communication

The team at ESET have reported on the results of their research into a new family of Android RATs (Remote Administrative Tools). Source code for this type of malware can be found on Telegram-hacking channels. Called “HeroRat”, ESET was not certain if this package was built from source code found on the Telegram-hacking channels or if its source code is the basis for other variants that have been spread around.

HeroRat is being distributed primarily in Iran on third-party sites. Packaging for the malware may offer inducements such as free bitcoins, free Internet connection and more followers on social media in an attempt to convince victims to install the malware. User interaction during installation is required to provide permissions to the device the app claims to need, including “device administration” permission. When the app is first run, it generates a pop-up indicating that it is unable to run on that particular device and will uninstall itself.

What it actually does is register the device with the attacker instead and awaits instructions via Telegram. Functions the malware can perform include intercepting SMS messages, accessing the device’s contact list, sending SMS messages, recording audio, getting the device’s location, and controlling the settings on the device.

HeroRat’s author provides the malware in three separate categories, based on level of features provided – Bronze ($10), Silver ($50), and Gold ($100). For those that wish to develop the product beyond the author’s models, the source code can be purchased for $650. According to ESET, this malware package is not written in Java, but was coded in C# using the Xamarin framework. Access to the communication services Telegram offers is through the Telesharp library.

Attackers lure victims into downloading the RAT by spreading it under various attractive-sounding guises, via third-party app stores, social media and messaging apps. We’ve seen the malware distributed mostly in Iran, as apps promising free bitcoins, free internet connections, and additional followers on social media. The malware has not been seen on Google Play.

Indicators of Compromise
  • Only install apps from Google Store
  • Install and run reputable anti-virus software for mobile devices

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: