njRat
njRat

Cybercriminals are marketing and selling the Android RAT HeroRat on Telegram using a good, better and best sales model, despite the fact the source code is available for free.

Researchers at ESET came across the RAT malware behind HeroRat while studying the previously known malware types IRRAT and TeleRAT. The new malware is believed to have been spreading in the wild since August 2017, but in March 2018 the actors behind it made the source code available for free on various Telegram hacking channels. This has led to hundreds of variants popping up, including the one nicknamed HeroRat

The malicious actors/entrepreneurs are using the well-known retail practice of offering different levels of HeroRat functionality with the more expensive giving the purchaser greater control over any compromised devices. In this case, interested parties can buy the bronze, silver and gold models for $25, $50 and $100, respectively or they can opt to purchase the source code itself for $650. This despite the fact the malware can be had for free.

The buyer also receives customer support through a video channel.

The malware is spread through third-party app stores, social media and messaging apps, primarily in Iran and promises to deliver free bitcoin, free internet connections or the ability to deliver more followers on social media. So far, ESET said, it has not been spotted in Google's official Play store.

The malware runs on all Android versions, but in order to download the malware package, the victim must accept its permissions, which can include granting the device administrator privileges. To accomplish this HeroRat's social engineering is actually quite straightforward telling the target exactly what powers he or she is allowing the software to have, including erasing all data, changing the password and locking the screen.

However, once the permissions are granted the malware begins to get tricky. The victim is almost immediately presented with a note saying the app is not compatible with the device and must be uninstalled. However, this is a lie. The app is not removed, even though its icon disappears, but in fact, that process registers the now compromised device with the malicious actors.

The malware uses Telegram's bot functionality to control the device and then goes about its business of exfiltrating data,  intercepting text messages and contacts, sending text messages and making calls, audio and screen recording, obtaining device location, and controlling the device's settings.

HeroRat's authors wrote the malware in C# using the Xamarin framework, ESET said, which is highly unusual as most Android RATs encountered on Telegram use Android Java.

The malware can be removed using most available mobile security solutions.