A new family of Android RAT spotted in wild abusing the Telegram protocol for command & control and data exfiltration.
Attackers distributing the New Android RAT through third-party app stores, social media and messaging apps. The attack primarily focussed on Iran and the attackers distributed the app promising free bitcoins, free internet connections, and additional followers on social media.
The malware runs on all Android versions and it has not been into the play store, security researchers from ESET identified the new malware family and they appear to be spreading from August 2017 and its source code was made available free in Telegram hacking channels last March 2018.
Once the app installed it uses social engineering methods to attain device administrator details and once the installation completed it shows a fake small popup “claiming the app can’t run on the device and will, therefore, be uninstalled.”
But with the fake uninstallation only removes the icon not the app and new victim device registered in attackers server.
The malware contains a range of capabilities including “spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.”
Android RAT dubbed HeroRat’s is divided into categories and sold bronze(25 USD), silver(50 USD) and gold panels (100 USD) respectively and the source code at 600 USD.
It has been developed using Xamarin framework and the malware contains clickable interface in Telegram bot interface, where attackers can control the victim devices by just tapping the button.
Common Defences and Mitigations
- Give careful consideration to the permission asked for by applications.
- Download applications from trusted sources.
- Stay up with the latest version.
- Encrypt your devices.
- Make frequent backups of important data.
- Install anti-malware on their devices.
- Stay strict with CIA Cycle.
