Security experts discovered a new Android Trojan dubbed TeleRAT that uses Telegram Bot API to communicate with the command and control (C&C) server and to exfiltrate data.
TeleRAT appears to be originating from and/or to be targeting individuals in Iran, experts found similarities with another Android malware dubbed IRRAT Trojan, which also leverages Telegram’s bot API for C&C communication communications.
The IRRAT is able to steal contact information, a list of Google accounts registered on the devices, SMS history, it is also able to take a picture with the front-facing and back-facing cameras.
Stolen data are stored on a series of files on the phone’s SD card and then sent to an upload server. The IRRAT malware reports to a Telegram bot, hides its icon from the phone’s app menu and runs in the background waiting for commands.
The TeleRAT Android malware operates in a different way, it creates two files on the device, telerat2.txt containing device information (i.e. system bootloader version number, available memory, and a number of processor cores), and thisapk_slm.txt containing a Telegram channel and a list of commands.
Once installed, the malicious code informs attackers on this by sending a message to a Telegram bot via the Telegram bot API with the current date and time. The malware also starts a background service that listens for changes made to the clipboard, and finally, the app fetches updates from the Telegram bot API every 4.6 second listening for several commands written in Farsi (Persian).
The TeleRAT is able to receive commands to grab contacts, location, app list, or the content of the clipboard; receive charging information; get file list or root file list; download files, create contacts, set wallpaper, receive or send SMS; take photos; receive or make calls; turn phone to silent or loud; turn off the phone screen; delete apps; cause the phone to vibrate; and get photos from the gallery.
TeleRAT is also able of uploading exfiltrated data using Telegram’s sendDocument API method, in this way it evades network-based detection.
The malware is able to get updates in two ways, namely the getUpdates method (which exposes a history of all the commands sent to the bot, including the usernames the commands originated from), and the use of a Webhook (bot updates can be redirected to a HTTPS URL specified by means of a Webhook).
The TeleRAT malware is distributed via seemingly legitimate applications in third-party Android app stores and also via both legitimate and nefarious Iranian Telegram channels. According to PaloAlto networks, a total of 2,293 users were apparently infected, most of them (82%) having Iranian phone numbers.