TeleRAT is a new family of Android malware discovered by Unit 42 researchers at Palo Alto Networks that takes advantage of Telegram’s bot API Command and Control for data exfiltration. The Android malware is installed by third-party Android app stores disguised as legitimate apps, such as Telegram Finder. Once downloaded, the app creates two files in the apps internal directory. The first file retrieves information on the device, such as number of cores, external memory size, and System Bootloader version number, while the second file contains a Telegram channel and a list of commands. Once the attackers receive a message with the current date and time via the Telegram Bot API, a service begins that listens for changes made to the Clipboard in the background of the infected device. Every 4.6 seconds, the Telegram bot API listens for commands such as “Get Contacts”, “Get Clipboard”, “Get Location”, “Receive SMS Messages,” and "Take Photo." TeleRAT’s communications through the bot API allows it to go unnoticed by network-based detection.
- Unit 42 researchers at Palo Alto Networks provide technical analysis of TeleRAT, here.