ESET researchers have discovered a new family of Android RATs (Remote Administration Tools) abusing the Telegram protocol for command and control, and data exfiltration. The authors of the RATs have developed an app that can eavesdrop your phone.

The malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device’s settings.

Attackers lure victims into downloading the RAT by spreading it under various attractive-sounding guises, via third-party app stores, social media and messaging apps. Sometimes the malware is distributed as apps promising free bitcoins, free internet connections, and additional followers on social media.

“The malware runs on all Android versions: however, affected users need to accept permissions required by the app (sometimes including activating the app as device administrator), which is where social engineering comes into play,” reads a statement from ESET.

After the malware is installed and launched on the victim’s device, a small popup appears, claiming the app can’t run on the device and will therefore be uninstalled. After the uninstallation is seemingly completed, the app’s icon disappears. On the attacker’s side, however, a new victimized device has just been registered.

Having gained access to the victim’s device, the attacker then leverages Telegram’s bot functionality to control the newly listed device. Each compromised device is controlled via a bot, set up and operated by the attacker using the Telegram app.

Read: Instagram Launches TV Channel, As It Hits A Billion Users

“Unlike the Telegram-abusing Android RATs previously analyzed, which are written in standard Android Java, this newly-discovered malware family has been developed from scratch in C# using the Xamarin framework – a rare combination for Android malware,” states ESET.

From left to right, “Bronze panel”, “Silver panel” and “Gold panel” of the Malware (screenshots from an instructional video provided by the malware author)

Communicating commands to and exfiltrating data from the compromised devices are both covered entirely via the Telegram protocol – a measure aimed at avoiding detection based on traffic to known upload servers.

ESET advises that users should scan their devices using a reliable mobile security solution, as well as avoiding apps from unknown sources.

“To avoid falling victim to Android malware, stick to the official Google Play store when downloading apps, make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation,” concludes ESET.

Despite the freely available source code, it is offered for sale on a dedicated Telegram channel, marketed under the name HeroRat. HeroRat is available in three pricing models according to functionality and comes with a support video channel.

HeroRat’s functionality is divided into three “bundles” – bronze, silver and gold panels – offered for sale for 25, 50, and 100 USD, respectively. The source code itself is offered for 650 USD by HeroRat’s (ambitious) author.

Do you have a story you want told? Do you know of a sensitive story you would like us to get our hands on? Email your news TIPS to [email protected]