The Scary Ways Your Android Is Using Malware Right Now

Malware isn’t just for computers anymore, which is why Android security should be taken just as seriously as any other cybersecurity issue, say industry experts. In light of their current popularity, it makes sense hackers are now looking to target Android devices, especially given the amount of data they can hold. And as well all know, there is nothing more valuable in the digital world than an unprotected cache of information.

Here’s the latest news from the world of Android security and malware—and it’s not pretty. A new, highly-concerning strain of malware has recently been detected, strong enough to leave users exposed to data breach and theft. By employing this new breed of mobile malware, hackers can feasibly spy on unsuspecting individuals, recording their actions and inputs while using the Android device.

Security researchers at ESET, an antivirus and security solutions provider, recently discovered the malware to be a Telegram-abusing Android RAT, now fondly known as “HeroRat.” This strain of malware—which can fool Android user into downloading it through a promise of false services—gives the impression of being a helpful app offering things like free internet connections, free Bitcoin, or more followers on social media. And because these are all attractive opportunities to many users, the malware has been surprisingly successful in spreading itself around.

Once downloaded, HeroRat can perform many surveillance actions, including audio recording, screen recording, and text message interception. It can also help hackers tap into a user’s contacts, control the settings of a hacked device, obtain location, and even make calls.

In a detailed blog post, ESET malware researcher, Lukas Stefanko, explains how the malware works. He writes, “Attackers lure victims into downloading the RAT by spreading it under various attractive-sounding guises, via third-party app stores, social media, and messaging apps. We’ve seen the malware distributed mostly in Iran as apps promising free bitcoins, free internet connections, and additional followers on social media. The malware has not been seen on Google Play.”

Technically speaking, the malware can run on any version of Android and is installed once a user grants it permission as a legitimate application. Sometimes, the permission might even include activating the app as device administrator. This malicious app can also give users the impression that it is being uninstalled upon request, when in fact it cannot be removed once downloaded. Instead, it continues to exploit the bot functionality of the Telegram app and gains control over the device.

Lukas Stefanko writes- “After the malware is installed and launched on the victim’s device, a small popup appears, claiming the app can’t run on the device and will therefore be uninstalled. In the variants we analyzed, the fake uninstall message can be displayed in English or Persian, depending on the target device‘s language settings…After the uninstallation is seemingly completed, the app’s icon disappears. On the attacker’s side, however, a new victimized device has just been registered.”

Stefanko adds, “Having gained access to the victim’s device, the attacker then leverages Telegram’s bot functionality to control the newly listed device. Each compromised device is controlled via a bot, set up and operated by the attacker using the Telegram app.” The Telegram app, which is widely used, has almost 200 million monthly users.

Stefanko’s blog post also details how hackers access the malware and use it to control Android devices. According to him, “The malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating.”

Further, Stefanko says, “Unlike the Telegram-abusing Android RATs previously analyzed, which are written in standard Android Java, this newly-discovered malware family has been developed from scratch in C# using the Xamarin framework, a rare combination for Android malware. The way the malware communicates via the Telegram protocol has been adapted to its programming language. Instead of the Telegram Bot API leveraged by the RATs previously described, this malware family uses Telesharp, a library for creating Telegram bots with C#. Communicating commands to and exfiltrating data from the compromised devices are both covered entirely via the Telegram protocol, a measure aimed at avoiding detection based on traffic to known upload servers.” However, experts suggest this malware, which only uses the Telegram bot functionality for its communication, doesn’t target Telegram users specifically.

The best way to stay safe from such malware is to carefully read user reviews before purchasing anything and ensure all downloaded apps come only from the official Google Play store. It’s also important to be extra cautious about any permissions granted to third-party apps, as they can transfer a great deal of control to outside forces. And of course, using good security software is also important.