A new variant of an Android malware called HeroRAT is being being sold on Telegram hacking channels, security researchers have found. The HeroRAT malware abuses the Telegram protocol for data exfiltration and command and control.
According to security researchers at ESET, the new malware family has been propagating since August 2017. However, in March 2018, the malware’s code was leaked on Telegram hacking channels.
After HeroRAT’s code was made publicly available for free, numerous variants of the malware have since cropped up in the wild.
One particular variant of the malware is currently being sold on Telegram in three different price ranges. However, it is unclear whether this specific variant was created from the leaked source code or whether it was the “original” whose code was published.
ESET researchers said HeroRAT has not yet been spotted on Google Play Store. However, the malware has been spreading via third-party apps, messaging apps and social media. So far, the malware has only targeted victims in Iran.
Given its target demographic, the malware authors have designed HeroRAT to support both English and Persian. The malware is compatible with all versions of Android.
Once the malware is installed and launched, a pop-up appears on the screen of the infected device which claims the app is unable to run on the device and must be uninstalled. Once the malicious app has been uninstalled, its icon disappears from the victim’s device while a new device is registered on the attackers’ side simultaneously.
“Having gained access to the victim’s device, the attacker then leverages Telegram’s bot functionality to control the newly listed device. Each compromised device is controlled via a bot, set up and operated by the attacker using the Telegram app,” ESET researchers wrote in a blog.
The malware has been developed “from scratch” in C# using the Xamarin framework.
HeroRAT has a wide range of data-stealing and spying capabilities. The malware can intercept text messages and contacts as well as send text messages, make calls, record audio, take screenshots, harvest the infected device’s location and gain control over the device’s settings.
The cybercriminals selling HeroRAT on Telegram have categorised it into three “bundles” - bronze, silver and gold - sold for $25, $50 and $100 respectively. Meanwhile, the source code of the malware is being offered for $650.
“The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating,” ESET researchers added. “Communicating commands to and exfiltrating data from the compromised devices are both covered entirely via the Telegram protocol – a measure aimed at avoiding detection based on traffic to known upload servers.”
Given that the malware is only spreading via third-party apps, messengers and social media, users would be safe from the malware by sticking to the official Play Store when downloading new apps.
“With the malware’s source code recently made available for free, new mutations could be developed and deployed anywhere in the world. Since the distribution method and form of disguise of this malware varies case by case, checking your device for the presence of any specific applications is not enough to tell if your device has been compromised,” ESET researchers said. “Make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation.”