A new family of malware capable of comprehensive surveillance is targeting Android devices through the encrypted messaging app Telegram, according to research from antivirus vendor ESET.
The malware – which has mostly been distributed in Iran – ensnares its victims by posing as an application pledging more social media followers, bitcoin, or free Internet connections, according to ESET. Once downloaded, the malware can carry out surveillance tasks ranging from intercepting text messages to recording audio and screen images from devices, ESET researcher Lukas Stefanko explained in a blog post.
Each compromised device is controlled via a bot that the attacker commandeers via Telegram, which recently boasted 200 million monthly users.
“Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating,” Stefanko wrote.
The malware family has proliferated since at least last August, according to ESET. In March, its source code was distributed for free on Telegram channels, spawning hundreds of variants, Stefanko wrote. One of those offshoots stood out to ESET because it is sold on a separate Telegram channel under the name HeroRat. The malware goes for $25, $50, or $100, depending on the functionality being sold.
The malware hasn’t surfaced in the Google Play store, Stefanko wrote, adding that Android users should only to avoid potentially malicious apps. Such nefarious programs have been knocking on Google Play’s door in droves: With the help of machine learning, security specialists removed 700,000 malicious apps from the store last year.
Like the Red Drop malware revealed in February, HeroRat circumvents Google Play, abusing the trust mobile device users often place in alluring applications.
UPDATE, 1:11 p.m. EDT: In response to a request for comment from Cyberscoop on Twitter, Telegram said the following:
“This [malware] doesn’t target Telegram users specifically, merely uses the Telegram bot API to communicate with its owner. See the ‘How to stay safe’ section in the article for protection tips. (In a word: Don’t install apps from unknown sources).”