Attackers are abusing the Telegram Bot API to target unsuspecting Iranian Android users with spyware.
This malware campaign begins with attackers setting up a bot for Telegram, the popular instant messaging service. This bot provides an attacker’s scam with a means of communication that runs over HTTPS. As such, they don’t have to build and design their own custom encrypted communication infrastructure.
Avast’s Nikolaos Chrysaidos explains how the spyware gets the ball rolling:
“The spyware pretends to be legit and lures potential victims by promising what the Telegram app itself doesn’t provide: the number of people who’ve looked at your listing. Similar scam apps exist for Facebook, promising to show you who has “unfriended” you. Once a user has downloaded it, the app requests your Telegram credentials so it can supposedly retrieve the number of people who’ve viewed your profile. Your score actually depends on a pseudorandom number generator, meaning you can be told you have as many as 9,999,999 viewers.”
Once it’s given the user a random number, the spyware waits before hiding its icon and then launching its malicious activity.
First, it uses the infected device’s front camera to snap a picture of the victim. Second, it stores the device’s contact information, incoming/outgoing SMS messages, and Google account info in new files. Lastly, it uploads that data along with the photo and current location of the device to a remote server that’s based in Iran and operated by the attackers.
But that’s not all. Attackers can also use the spyware to make a call or send an SMS message on the device as well as upload additional information to the server.
Spyware is bad enough in that someone you don’t know can view your personal information and/or control certain functions of your computing device. But when an attacker has terrible security, such malware can become even worse by exposing your information to a larger pool of individuals.
Chrysaidos says that’s the case with this spyware:
“The spyware uploads all files via PHP script and saves them to the /rat/uploads directory on the server. These files are available to anyone who enters the right URL into a browser, likely due to inadequate security measures taken by the attacker.”
To protect yourself against Telegram-abusing attackers, make sure you only download apps from trusted developers on Google’s official Play Store. As such, take a note of other users’ reviews of an app before you download it, and read the app’s requested permissions before you agree to install it.