HeroRat Trojan Uses Telegram Bot to Control Infected Devices

Security researcher Lukas Stefanko from ESET has revealed details about a new Android remote access trojan (RAT) called HeroRat, which uses a Telegram bot to control infected devices. HeroRat has been known since at least August 2017, but in March 2018, its source code was published on hacker Telegram channels, leading to the emergence of countless variants.

Although the malware’s source code is freely available, one of its versions is being sold on a Telegram channel for a three-digit price, depending on its features. Additionally, buyers have access to a video support channel. It is unclear whether this version was created from the leaked source code or if its own code was later made public, according to Stefanko.

Unique Features of HeroRat

Unlike other Telegram-based trojans, HeroRat was written from scratch in C# using the Xamarin framework, which is unusual since most Android trojans are typically developed in Android Java. The authors also adapted the Telegram protocol for the programming language they used. Instead of using the Telegram Bot API like other RATs, HeroRat utilizes the Telesharp library to create Telegram bots in C#.

Distribution and Infection

HeroRat is distributed through third-party app stores, social networks, and messaging apps. Most infected devices are located in Iran. After installation, the device displays a notification stating that the app cannot be launched and will be uninstalled. The app icon disappears from the screen, but the malware remains active on the device.

Capabilities and Control

The trojan can monitor users, steal files stored on the device, intercept and send messages, steal contacts, make calls, take screenshots, record audio, determine the device’s location, and manage its settings. All of these functions are controlled via clickable buttons in the Telegram bot interface.