The experts at Palo Alto Networks found a brand new Android trojan called TeleRAT. The trojan uses Telegram Bot API for command and control (C&C) server communication and data exfiltration.
The TeleRAT trojan is supposed to come from Iran and it attacks Iranian users mostly. According to the researchers, there are some similarities between TeleRAT and another Android trojan called IRRAT, which also leverages Telegram’s bot API for C&C communication.
“Telegram Bots are special accounts that do not require an additional phone number to setup and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news.” reads the analysis published by PaloAlto networks.
The IRRAT trojan can steal contact information, a list of Google accounts registered on the devices, and SMS history. The malware is also able to take pictures with the front-facing and back-facing cameras.
The stolen data is kept on a series of files on the phone’s SD card and sent to an upload server after that. Meanwhile, the IRRAT trojan reports to a Telegram bot, hides its icon from the phone’s app menu and runs in the background waiting for further commands.
The TeleRAT trojan operates in a different way. It creates two files on the device, telerat2.txt which contains device information (i.e. system bootloader version number, available memory, and a number of processor cores), and thisapk_slm.txt containing a Telegram channel and a list of commands.
When installed onto the system, the malicious code immediately informs hackers on this by sending a message to a Telegram bot via the Telegram bot API with the current date and time. At the same time, the trojan runs a background service which listens for changes made to the clipboard, and then, the application fetches updates from the Telegram bot API every 4.6 second listening for several commands written in Persian.
TeleRAT is also able to receive commands, to grab contacts, location, app list, or the content of the clipboard; receive charging information; get file list or root file list; download files, create contacts, set wallpaper, receive or send SMS; take photos; receive or make calls; turn phone to silent or loud; turn off the phone screen; delete apps; cause the phone to vibrate; and steal photos from the gallery.
Additionally, the TeleRAT malware is capable of uploading exfiltrated data using Telegram’s sendDocument API method in order to evade network-based detection.
The trojan can receive updates in two ways – the getUpdates method (which exposes a history of all the commands sent to the bot, including the usernames the commands originated from), and the use of a Webhook (bot updates can be redirected to a HTTPS URL specified by means of a Webhook).
TeleRAT is distributed via seemingly legitimate applications in third-party Android app stores and also via both legitimate and nefarious Iranian Telegram channels. According to PaloAlto Networks, a total of 2,293 users have already been infected, most of them having Iranian phone numbers.