HeroRat is an Android remote access trojan discovered by ESET researchers that has been distributed since August 2017. In March 2018, the source code for HeroRat became publicly available via Telegram hacking channels, which resulted in attacks leveraging hundreds of variants of the malware. This malware is written in the C# programming language, allowing HeroRat to use the Telesharp library to create Telegram bots where all communications to and from infected Android devices are performed. In order to carry out its malicious capabilities, the malware requires the victim to grant it a wide range of permissions, including device administrator privileges. Once installed, HeroRat will force a pop up to be displayed on the device, stating that the program cannot run and is being uninstalled, removing the app icon from the phone. To the victim it seems the app was uninstalled, when it actually continues to run in the background and spy on victims, exfiltrate files, intercept text messages, steal contacts, send text messages, control device settings, and obtain the device's location. The malware author is selling the HeroRat source code for $650 on telegram channels, available for anyone to purchase.

Reporting and Technical Details

  • June 2018: ESET provides more technical details on HeroRat, here.