HeroRat: Telegram-abusing Android RAT

ESET security researchers have discovered a new Android RAT (Remote Administration Tool) variant in the wild. The new variant is dubbed “HeroRat” and abuses the Telegram protocol for command and control, and can steal sensitive data.

ESET found the entirely new malware family started spreading in August of 2017 and the source code was leaked in March 2018 and made available in hacking channels. 

It appears the malware was developed in C# using the Xamarin framework, as rare combination according to ESET. Previous versions of Android RATs targeting Telegram apps were written in Android Java. 

“Having gained access to the victim’s device, the attacker then leverages Telegram’s bot functionality to control the newly listed device. Each compromised device is controlled via a bot, set up and operated by the attacker using the Telegram app,” ESET wrote in a recent blog post

HeroRat can intercept messages/contacts, send text messages, make calls, record audio/screens, obtain device location and even control the device’s settings, according to ESET researchers. 

The malware was not found in Google Play store.

To avoid becoming a victim, experts remind users to only download apps from the official Google Play store (avoid third party app stores), read user reviews before downloading and be extremely cautious what permissions you grant any apps before/after installing the app. 

Leave a Reply