Hxxps:///bot a list of installed apps to SD Card to file named “ apps.txt", uploads to upload file listing from, saves to SD Card as “files.txt”, uploads to a GPS listener that monitors location file at on SDCard] Hxxps:///bot/sendmessage?chat_id=&text=call with to CommandĬommunication to Telegram a call to In the background, the app continues to beacon to the Telegram bot at regular intervals and listens for certain commands, as detailed below. Image.jpg: Picture taken with back-facing cameraįinally, it reports back to a Telegram bot (identified by a bot ID hardcoded in each RAT’s source code) with the below beacon, and the application icon is then hidden from the phone's app menu:.1.jpg: Picture taken with the front-facing camera.“acc.txt”: List of Google accounts registered on the phone.
TeleRAT works by creating and then populating the following files on the phone’s SD Card and sending them to the upload server, after the app’s first launch: We used the below sample for this analysis. We continue to see IRRAT active in the wild to this date. The majority of the apps we saw disguise themselves as an app that tells you how many views your Telegram profile received – needless to say, the information provided is inaccurate as Telegram doesn’t allow for populating any such information. TeleRAT not only abuses Telegram's Bot API for Command and Control (C2), it also abuses it for data exfiltration, unlike IRRAT.īased on previous reports, we know Telegram's Bot API was already being employed by attackers to steal information ranging from SMS and call history to file listings from infected Android devices. This blog details our findings navigating through some Operational Security (OPSEC) fails while sifting through multiple malicious APK variants abusing Telegram's Bot API including the discovery of a new Trojan we've named “TeleRAT”.
And while Android malware abusing Telegram's Bot API to target Iranian users is not fresh news (the emergence of a Trojan using this method called IRRAT was discussed in June and July 2017), we set out to investigate how these Telegram Bots were being abused to command and control malicious Android applications. Telegram Bots are special accounts that do not require an additional phone number to setup and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news.
0 kommentar(er)
