While spyware using the Telegram Bot API is limited, it's the first Android Trojan controlled via Telegram’s message-exchange protocol. Avast investigates.
A spyware app communicating via the Telegram Bot API has recently targeted Iranian Android users, uploading extensive personal data about users on a remote server in Iran.
While slightly different versions of the spyware app exist – one promises to tell you how many visitors viewed your Telegram profile, others mask as a Cleaner Pro or Profile Checker app – they all offer the same functions and spy on your Android device. And because cybercriminals don’t have to create their own communication or set up encryption to run the scam (just set up a Telegram bot!), it’s more likely to be used by more bad actors as a ready-to-run “solution,” even if only in the short term.
The spyware pretends to be legit and lures potential victims by promising what the Telegram app itself doesn’t provide: the number of people who’ve looked at your listing. Similar scam apps exist for Facebook, promising to show you who has “unfriended” you. Once a user has downloaded it, the app requests your Telegram credentials so it can supposedly retrieve the number of people who’ve viewed your profile. Your score actually depends on a pseudorandom number generator, meaning you can be told you have as many as 9,999,999 viewers.
Description: Wow, your profile has been viewed by 7,358,982 people!
The app then waits a while, quits, and hides its icon. Now that most victims believe it’s been removed from their device, it can start getting busy in the background.
The app only hides its icon from your list of apps, but you can still find it under installed apps in your device settings.
One of the first things this app does is take and save a photo of you, using your device’s front camera. Then your contact information, incoming and outgoing SMS messages, and Google account info are illegally captured and stored in new, separate files for later uploading to the attacker's server.
Once your device has communicated with the attacker via the Telegram Bot API that it can now send and receive commands, it will upload your text messages (including sender and recipient phone numbers and message contents), list of contacts, Google email address, location, and photo. The attacker can also request files that are yours, not just the ones newly created by the app.
At this point, the spyware developers can send a variety of additional commands, essentially remote-controlling your device, including orders to:
The spyware uploads all files via PHP script and saves them to the /rat/uploads directory on the server. These files are available to anyone who enters the right URL into a browser, likely due to inadequate security measures taken by the attacker.
The script used for file upload is very basic and doesn’t sanitize the input at all. A week after the first posts about this Android spyware, someone had already injected malicious PHP script into the /rat/uploads directory, giving anyone who runs it access to the server's shell in their browser. The server currently looks like a penetration testing school project, meaning several people try and upload more malicious files. Some of them delete the stolen data that shows up in the directory, while others just test what they can do with the server behind the owner’s back.
Always make sure your own security is tight before attacking others
Following these steps can protect you not only from this particular spyware, but also from most malicious apps.
And it never hurts to have another line of defense, such as Avast Free Mobile Security, which not only blocks malware and viruses, but also lets you connect privately, block calls, and lock apps.
To sum it up, this spyware is stealthy and poses a huge risk to victims’ privacy, leaving unwitting Telegram users on Android open to being tracked, spied on, and robbed of data. Even worse, the attacker’s negligence leaves the collected, sensitive information accessible to anyone.
During our analysis, we also noticed that some samples contained extra capabilities not used in the app, such as the ability to check whether the device is rooted or if the app was run in emulator. This means the spyware is either still a work in progress or that its creator built the app on top of a bigger framework, then decided not to use all of its features. In any case, don’t trust your device or your data to it.
Servers hosting the uploaded files:
Telegram bots used:
Image: Álvaro Ibáñez
Information belonging to over 100 Italian banks breached by the Ursnif banking trojan was obtained by Avast Threat Labs, which then shared the data with as many of the victims as could be identified.
Avast researchers obtained information that the Ursnif banking Trojan has targeted 100 Italian banks and may have thousands of victims.