{
	"id": "6cb52d8e-ead5-44ab-9fb6-8996464e424a",
	"created_at": "2026-04-06T00:22:04.286737Z",
	"updated_at": "2026-04-10T13:12:35.688036Z",
	"deleted_at": null,
	"sha1_hash": "65b7117de248514b804c9daf489e15cde365b40d",
	"title": "New Telegram-abusing Android RAT discovered in the wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2545640,
	"plain_text": "New Telegram-abusing Android RAT discovered in the wild\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 20:10:14 UTC\r\nEntirely new malware family discovered by ESET researchers\r\n18 Jun 2018  •  , 4 min. read\r\nESET researchers have discovered a new family of Android RATs (Remote Administration Tools), that has been\r\nabusing the Telegram protocol for command and control, and data exfiltration.\r\nInvestigating what at first seemed like increased activity on the part of the previously reported IRRAT and\r\nTeleRAT, we identified an entirely new malware family that has been spreading since at least August 2017. In\r\nMarch 2018, its source code was made available for free on Telegram hacking channels, and as a result, hundreds\r\nof parallel variants of the malware have been circulating in the wild.\r\nOne of these variants is different from the rest – despite the freely available source code, it is offered for sale on a\r\ndedicated Telegram channel, marketed under the name HeroRat. It is available in three pricing models according\r\nto functionality, and comes with a support video channel. It is unclear whether this variant was created from the\r\nleaked source code, or if it is the “original” whose source code was leaked.\r\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 1 of 10\n\nHow does it operate?\r\nAttackers lure victims into downloading the RAT by spreading it under various attractive-sounding guises, via\r\nthird-party app stores, social media and messaging apps. We’ve seen the malware distributed mostly in Iran, as\r\napps promising free bitcoins, free internet connections, and additional followers on social media. The malware has\r\nnot been seen on Google Play.\r\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 2 of 10\n\nFigure 1 – Some of the guises used to propagate the RAT\r\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 3 of 10\n\nThe malware runs on all Android versions: however, affected users need to accept permissions required by the app\r\n(sometimes including activating the app as device administrator), which is where social engineering comes into\r\nplay.\r\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 4 of 10\n\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 5 of 10\n\nFigure 2 – The RAT requesting device administrator rights\r\nAfter the malware is installed and launched on the victim’s device, a small popup appears, claiming the app can’t\r\nrun on the device and will therefore be uninstalled. In the variants we analyzed, the fake uninstall message can be\r\ndisplayed in English or Persian, depending on the target device‘s language settings.\r\nAfter the uninstallation is seemingly completed, the app’s icon disappears. On the attacker's side, however, a new\r\nvictimized device has just been registered.\r\nFigure 3 - HeroRat author’s demonstration of installing the RAT on his own device (screenshots from an\r\ninstructional video provided by the malware author)\r\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 6 of 10\n\nFigure 4 – Malware source code with fake uninstallation messages in both English and Persian\r\nHaving gained access to the victim’s device, the attacker then leverages Telegram’s bot functionality to control the\r\nnewly listed device. Each compromised device is controlled via a bot, set up and operated by the attacker using\r\nthe Telegram app.\r\nThe malware has a wide array of spying and file exfiltration capabilities, including intercepting text messages and\r\ncontacts, sending text messages and making calls, audio and screen recording, obtaining device location, and\r\ncontrolling the device’s settings.\r\nHeroRat’s functionality is divided into three “bundles” – bronze, silver and gold panels – offered for sale for 25,\r\n50, and 100 USD, respectively. The source code itself is offered for 650 USD by HeroRat’s (ambitious) author.\r\nThe malware’s capabilities are accessible in the form of clickable buttons in the Telegram bot interface. Attackers\r\ncan control victimized devices by simply tapping the buttons available in the version of the malware they are\r\noperating.\r\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 7 of 10\n\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 8 of 10\n\nFigure 5 – HeroRat control panel\r\nFigure 6 – HeroRat functionality – from left to right, “Bronze panel”, “Silver panel” and “Gold panel”\r\n(screenshots from an instructional video provided by the malware author)\r\nUnlike the Telegram-abusing Android RATs previously analyzed, which are written in standard Android Java, this\r\nnewly-discovered malware family has been developed from scratch in C# using the Xamarin framework – a rare\r\ncombination for Android malware.\r\nThe way the malware communicates via the Telegram protocol has been adapted to its programming language –\r\ninstead of the Telegram Bot API leveraged by the RATs previously described, this malware family uses Telesharp,\r\na library for creating Telegram bots with C#.\r\nCommunicating commands to and exfiltrating data from the compromised devices are both covered entirely via\r\nthe Telegram protocol – a measure aimed at avoiding detection based on traffic to known upload servers.\r\nHow to stay safe\r\nWith the malware’s source code recently made available for free, new mutations could be developed and deployed\r\nanywhere in the world. Since the distribution method and form of disguise of this malware varies case by case,\r\nchecking your device for the presence of any specific applications is not enough to tell if your device has been\r\ncompromised.\r\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 9 of 10\n\nIf you have reason to believe your device has been compromised by this malware, scan it using a reliable mobile\r\nsecurity solution. ESET systems detect and block this threat as Android/Spy.Agent.AMS and\r\nAndroid/Agent.AQO.\r\nTo avoid falling victim to Android malware, stick to the official Google Play store when downloading apps, make\r\nsure to read user reviews before downloading anything to your device and pay attention to what permissions you\r\ngrant to apps both before and after installation.\r\nIoCs\r\nPackage Name Hash Detection\r\nSystem.OS 896FFA6CB6D7789662ACEDC3F9C024A0 Android/Agent.AQO\r\nAndro.OS E16349E8BB8F76DCFF973CB71E9EA59E Android/Spy.Agent.AMS\r\nFreeInterNet.OS 0E6FDBDF1FB1E758D2352407D4DBF91E Android/Agent.AQO\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nhttps://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/\r\nPage 10 of 10\n\n  https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/     \nThe malware runs on all Android versions: however, affected users need to accept permissions required by the app\n(sometimes including activating the app as device administrator), which is where social engineering comes into\nplay.       \n   Page 4 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/"
	],
	"report_names": [
		"new-telegram-abusing-android-rat"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434924,
	"ts_updated_at": 1775826755,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/65b7117de248514b804c9daf489e15cde365b40d.pdf",
		"text": "https://archive.orkl.eu/65b7117de248514b804c9daf489e15cde365b40d.txt",
		"img": "https://archive.orkl.eu/65b7117de248514b804c9daf489e15cde365b40d.jpg"
	}
}