Home > Cyber News > TeleRAT Android Trojan Uses Telegram Bot API for C&C Communication

TeleRAT Android Trojan Uses Telegram Bot API for C&C Communication

TeleRAT is the name of the latest Android Trojan that was discovered by researchers at Palo Alto Networks. The Trojan is designed to use Telegram Bot API for communication with its command and control server with the purpose of exfiltrating data.

The malware appears to be created in Iran, or is at least targeting individuals from that country. There are quite a few similarities the researchers found between TeleRAT and IRRAT Trojan, which was also abusing Telegram’s bot API for its communications.

Related Story: Skygofree Android Trojan – the Most Sophisticated Mobile Spyware Ever

Based on previous reports, it is known that Telegram’s Bot API was already being used to harvest information such as SMS, call history and file listings from targeted Android devices.

The majority of the apps we saw disguise themselves as an app that tells you how many views your Telegram profile received – needless to say, the information provided is inaccurate as Telegram doesn’t allow for populating any such information, the researchers wrote in their report.

How Does TeleRAT Function?

The Trojan creates and then populates several files on the device’s SD card, and later sends them to the upload server. This is the list of files:

– “[IMEI] numbers.txt”: Contact information
– “[IMEI]acc.txt”: List of Google accounts registered on the phone
– “[IMEI]sms.txt”: SMS history
– 1.jpg: Picture taken with the front-facing camera
– Image.jpg: Picture taken with back-facing camera

Once this is done, the Trojan reports back to the Telegram bot with the help of a beacon.

How did researchers find TeleRAT? While going through IRRAT samples, the team discovered another family of Android RATs that appeared to be originating from Iran. Not only did the piece use the Telegram API for command and control communications but it also exfiltrated stolen information.

Shortly said, TeleRAT is most likely an upgrade from IRRAT as it eliminates the possibility of network-based detection typically based on traffic to known upload servers.

Aside from additional commands, this new family’s main differentiator to IRRAT is that it also uploads exfiltrated data using Telegram’s sendDocument API method”, Palo Alto’s report says.

Related Story: Pre-Installed Android.Triada.231 Trojan Shipped with Chinese Devices

In addition, the Trojan can be updated in two ways – through the getUpdates method which reveals the history of all the commands send to the bot, and through the use of a Webhook.

As to the distribution techniques it uses, the Trojan is using “seemingly legitimate applications in third-party Android app stores“. According to infection statistics provided by Palo Alto, 2,293 users were hit by this malware, with 82 percent of the victims having Iranian phone numbers.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree