Android Trojan Leverages Telegram for Data Exfiltration
A newly discovered Android Trojan is abusing Telegram’s Bot API to communicate with the command and control (C&C) server and to exfiltrate data, Palo Alto Networks security researchers warn.
Dubbed TeleRAT, the malware appears to be originating from and/or to be targeting individuals in Iran. The threat is similar to the previously observed IRRAT Trojan, which uses Telegram’s bot API for C&C communication only.
Still active in the wild, IRRAT masquerades as applications supposedly informing users on the number of views their Telegram profile received (something that Telegram doesn’t actually allow for). After the app’s first launch, the malware creates and populates a series of files on the phone’s SD card, which it then sends to an upload server.
The files contain contact information, a list of Google accounts registered on the phone, SMS history, a picture taken with the front-facing camera, and a picture taken with back-facing camera. The malicious app reports to a Telegram bot, hides its icon from the phone’s app menu, and continues to run in the background, waiting for commands.
TeleRAT, on the other hand, creates two files on the device, one containing various device information (including system bootloader version number, available memory, and number of processor cores), and another containing a Telegram channel and a list of commands, Palo Alto Networks says.
After installation, the RAT informs attackers on this by sending a message to a Telegram bot via the Telegram bot API with the current date and time. It also starts a background service to listen for changes made to the clipboard, and fetches updates from the Telegram bot API every 4.6 seconds, listening for commands.
Based on the received commands, the malware can grab contacts, location, app list, or the content of the clipboard; receive charging information; get file list or root file list; download files, create contacts, set wallpaper, receive or send SMS; take photos; receive or make calls; turn phone to silent or loud; turn off the phone screen; delete apps; cause the phone to vibrate; and get photos from the gallery.
The new malware family is also capable of uploading exfiltrated data using Telegram’s sendDocument API method. By performing all communication via the Telegram bot API, it evades network-based detection.
The use of said API allows for getting updates in two manners, namely the getUpdates method (which exposes a history of all the commands sent to the bot, including the usernames the commands originated from), and the use of a Webhook (bot updates can be redirected to a HTTPS URL specified by means of a Webhook).
The researchers claim to have found an image of the botmaster testing out the RAT, along with exfiltrated messages to confirm it. The malware also appears to contain the developer’s username in the code, which lead researchers to the ‘vahidmail67’ Telegram channel, which advertises applications to help users get likes and followers on Instagram, ransomware, and even the source code for an unnamed RAT.
The researchers also found threads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library and say that code from developers frequenting the forum was found in encountered TeleRAT samples. Although the forum claims all content is in accordance with Iran’s laws, the malicious use for some of the code advertised there is clear.
Because TeleRAT puts together code written by several developers, including freely available source code via Telegram channels and code sold on forums, this makes it difficult to point to one single actor commanding either IRRAT or TeleRAT. Thus, Palo Alto Networks says the malware could be the work of several actors possibly operating inside of Iran.
The malware is distributed via seemingly legitimate applications in third-party Android app stores and also distributed and shared via both legitimate and nefarious Iranian Telegram channels. A total of 2,293 users were apparently infected, based on the analyzed infrastructure, with 82% of the victims having Iranian phone numbers.
Ionut Arghire is an international correspondent for SecurityWeek.