Android trojan is using Telegram to exfiltrate data

Researchers have discovered a new Android trojan that is using a Telegram’s Bot API to communicate with its C&C server to exfiltrate data.
This new cybersecurity threat is named TeleRAT; the malware is used against individual targets located in Iran. This malware is similar to IRRAT Trojan, which uses Telegram’s bot API for C&C communication only.

TeleRAT creates two files on every infected device. The first file contains various device information: system bootloader version number, available memory, and the number of processor cores. The second file includes a Telegram channel and a list of commands.
The first action of the newly cybersecurity threat, after infection, is to inform cybercriminals that a new infection occurred. It does this by sending a message to a Telegram bot via the Telegram bot API with the current date and time. After this, TeleRAT starts a background service to listen for changes made to the clipboard, and fetches updates and listen for commands from the Telegram bot API every 4.6 seconds.

During the malware analysis, researchers found out that this new piece of cybersecurity threat can: grab contacts, location, app list, the content of the clipboard; receive charging information; get file list or root file list; download files, create contacts, set wallpaper, receive or send SMS; take photos; receive or make calls; turn phone to silent or loud; turn off the phone screen; delete apps; cause the phone to vibrate; and get photos from the gallery.
It is also capable of uploading exfiltrated data using Telegram’s sendDocument API method. Cybercriminals choose to C&C this malware via the Telegram bot API, because by doing this they can evade network-based detection used by some cybersecurity solution. Telegram APIs is used in two manners, one of the modes is the getUpdates method, and the other one uses a Webhook.

Companies and individual people must take certain precautions against this new type of cybersecurity threat; they should implement at least a cybersecurity solution, like an antivirus, to protect their systems. Necessary things like regularly updating operating systems, using antivirus for Windows, an antivirus for Mac, or antivirus for Android, depending on which OS your device is using. Companies must also hire professional cybersecurity firms to do regular checkups to their internal network a couple of times per year. These checkups must always include a penetration test and various ethical hacking test.

After the code analysis, researchers found out that its creator is named vahidmail67. Same researchers found out that a Telegram channel whit the same name exists, this channel advertises: applications that help users to get likes and followers on Instagram, ransomware, and source code for an unnamed RAT.
For now, we are not sure if vahidmail67 the name of a single Iranian cybercriminal programmer or if it’s just a code name under which several Iranian cybercriminal developers operate.

The malware is distributed via legitimate applications that are available on third-party Android app stores and also distributed and spread via Iranian Telegram channels.
Until now it was found out that a total of 2,293 users were infected and 82% of the victims are using Iranian phone numbers.
Every phone represents network entry point or a valuable data bank that must be protected by at least cybersecurity solution like an antivirus, to protect their systems. Companies must hire a professional cybersecurity firm that will run various cybersecurity tests on your company’s network to implement only the best possible cybersecurity solution. Always opt for a package that includes at least a penetration test and ethical hacking test.