A new strain of Android malware has been discovered that exploits Telegram to communicate back to its masters converting the compromised device into part of a wider botnet.

The malware runs on all Android versions: however, affected users need to accept permissions required by the app (sometimes including activating the app as device administrator), which is where social engineering comes into play.

Attackers will trick users users into downloading fake (infected) apps, offering free social media followers or free bitcoins. When installing, the app will ask for Administrator permissions then displays a warning that the application cannot (for whatever reason) run and be uninstalled, however in reality it has installed a new icon and registered the device on the attackers botnet utilising encrypted connections via Telegram. When installed, HeroRat will allow the hackers to remotely control the Android device with the ability to intercept text messages and capture contacts, sending text messages and making calls, audio and screen recording, obtaining device location, as well as controlling the device’s settings – all without the user knowing.

It even provides the attacker with a neat menu of options for controlling your phone / tablet:

What the HeroRat Attacker Sees… (Image: ESET Security)



Safety Tips

Only ever install apps on your Android device via the Google Play Store. Although that in itself is not entirely secure, its a far safer place than 3rd party repositories. Alway look carefully at pop-ups and administrator permission warnings when downloading any app.