TeleRAT is the name of the latest Android Trojan that was discovered by researchers at Palo Alto Networks. The Trojan is designed to use Telegram Bot API for communication with its command and control server with the purpose of exfiltrating data.
The malware appears to be created in Iran, or is at least targeting individuals from that country. There are quite a few similarities the researchers found between TeleRAT and IRRAT Trojan, which was also abusing Telegram’s bot API for its communications.
Based on previous reports, it is known that Telegram’s Bot API was already being used to harvest information such as SMS, call history and file listings from targeted Android devices.
The majority of the apps we saw disguise themselves as an app that tells you how many views your Telegram profile received – needless to say, the information provided is inaccurate as Telegram doesn’t allow for populating any such information, the researchers wrote in their report.
How Does TeleRAT Function?
The Trojan creates and then populates several files on the device’s SD card, and later sends them to the upload server. This is the list of files:
– “[IMEI] numbers.txt”: Contact information
– “[IMEI]acc.txt”: List of Google accounts registered on the phone
– “[IMEI]sms.txt”: SMS history
– 1.jpg: Picture taken with the front-facing camera
– Image.jpg: Picture taken with back-facing camera
Once this is done, the Trojan reports back to the Telegram bot with the help of a beacon.
How did researchers find TeleRAT? While going through IRRAT samples, the team discovered another family of Android RATs that appeared to be originating from Iran. Not only did the piece use the Telegram API for command and control communications but it also exfiltrated stolen information.
Shortly said, TeleRAT is most likely an upgrade from IRRAT as it eliminates the possibility of network-based detection typically based on traffic to known upload servers.
“Aside from additional commands, this new family’s main differentiator to IRRAT is that it also uploads exfiltrated data using Telegram’s sendDocument API method”, Palo Alto’s report says.
In addition, the Trojan can be updated in two ways – through the getUpdates method which reveals the history of all the commands send to the bot, and through the use of a Webhook.
As to the distribution techniques it uses, the Trojan is using “seemingly legitimate applications in third-party Android app stores“. According to infection statistics provided by Palo Alto, 2,293 users were hit by this malware, with 82 percent of the victims having Iranian phone numbers.