Security experts at Palo Alto Networks discovered a new Android Trojan dubbed TeleRAT that uses Telegram Bot API to communicate with the command and control (C&C) server and to exfiltrate data.
TeleRAT appears to be originating from and/or to be targeting individuals in Iran, experts found similarities with another Android malware dubbed IRRAT Trojan, which also leverages Telegram’s bot API for C&C communication communications.
“Telegram Bots are special accounts that do not require an additional phone number to setup and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news.” reads the analysis published by PaloAlto networks. “And while Android malware abusing Telegram’s Bot API to target Iranian users is not fresh news (the emergence of a Trojan using this method called IRRAT was discussed in June and July 2017), we set out to investigate how these Telegram Bots were being abused to command and control malicious Android applications.”
The IRRAT is able to steal contact information, a list of Google accounts registered on the devices, SMS history, it is also able to take a picture with the front-facing and back-facing cameras.
Stolen data are stored on a series of files on the phone’s SD card and then sent to an upload server. The IRRAT malware reports to a Telegram bot, hides its icon from the phone’s app menu and runs in the background waiting for commands.
The TeleRAT Android malware operates in a different way, it creates two files on the device, telerat2.txt containing device information (i.e. system bootloader version number, available memory, and a number of processor cores), and thisapk_slm.txt containing a Telegram channel and a list of commands.
Once installed, the malicious code informs attackers on this by sending a message to a Telegram bot via the Telegram bot API with the current date and time. The malware also starts a background service that listens for changes made to the clipboard, and finally, the app fetches updates from the Telegram bot API every 4.6 second listening for several commands written in Farsi (Persian).
The TeleRAT is able to receive commands to grab contacts, location, app list, or the content of the clipboard; receive charging information; get file list or root file list; download files, create contacts, set wallpaper, receive or send SMS; take photos; receive or make calls; turn phone to silent or loud; turn off the phone screen; delete apps; cause the phone to vibrate; and get photos from the gallery.
TeleRAT is also able of uploading exfiltrated data using Telegram’s sendDocument API method, in this way it evades network-based detection.
“TeleRAT is an upgrade from IRRAT in that it eliminates the possibility of network-based detection that is based on traffic to known upload servers, as all communication (including uploads) is done via the Telegram bot API.” continues the analysis.
“Aside from additional commands, this new family’s main differentiator to IRRAT is that it also uploads exfiltrated data using Telegram’s sendDocument API method”
The malware is able to get updates in two ways, namely the getUpdates method (which exposes a history of all the commands sent to the bot, including the usernames the commands originated from), and the use of a Webhook (bot updates can be redirected to a HTTPS URL specified by means of a Webhook).
The TeleRAT malware is distributed via seemingly legitimate applications in third-party Android app stores and also via both legitimate and nefarious Iranian Telegram channels. According to PaloAlto networks, a total of 2,293 users were apparently infected, most of them (82%) having Iranian phone numbers.
The campaign has a poor OPSEC, the experts have found an image of the botmaster testing out the malware, along with exfiltrated messages to confirm it. The analysis of the malicious code revealed that it contains the developer’s username in the code and reference to ‘vahidmail67’ Telegram channel that advertises applications to help users get likes and followers on Instagram, ransomware, and even the source code for an unnamed RAT.
“Aside from the Telegram channel, while looking for references to certain TeleRAT components we stumbled upon somethreads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library. The forum is frequented by some of the developers whose code is heavily reused in a big portion of the TeleRAT samples we came across.” continues the analysis.
Experts pointed out that TeleRAT puts together code written by several developers, including freely available source code via Telegram channels and code offered for sale on several forums, making it difficult to attribute the malware to one single bad actor behind both IRRAT and TeleRAT.
The experts concluded that the malware could be the work of several actors possibly operating inside of Iran.