New Android malware hijacks Telegram for surveillance

A new family of malware capable of comprehensive surveillance is targeting Android devices through Telegram, ESET researchers say.
the software pulls information from Facebook Messenger, WhatsApp, and Line, an end-to-end encrypted messaging application that's popular in Asia. (Flickr user <a href="">StevenW</a> / CC-BY-2.0)

A new family of malware capable of comprehensive surveillance is targeting Android devices through the encrypted messaging app Telegram, according to research from antivirus vendor ESET.

The malware – which has mostly been distributed in Iran – ensnares its victims by posing as an application pledging more social media followers, bitcoin, or free Internet connections, according to ESET.  Once downloaded, the malware can carry out surveillance tasks ranging from intercepting text messages to recording audio and screen images from devices, ESET researcher Lukas Stefanko explained in a blog post.

Each compromised device is controlled via a bot that the attacker commandeers via Telegram, which recently boasted 200 million monthly users.

“Attackers can control victimized devices by simply tapping the buttons available in the version of the malware they are operating,” Stefanko wrote.


The malware family has proliferated since at least last August, according to ESET. In March, its source code was distributed for free on Telegram channels, spawning hundreds of variants, Stefanko wrote. One of those offshoots stood out to ESET because it is sold on a separate Telegram channel under the name HeroRat. The malware goes for $25, $50, or $100, depending on the functionality being sold.

The malware hasn’t surfaced in the Google Play store, Stefanko wrote, adding that Android users should only to avoid potentially malicious apps. Such nefarious programs have been knocking on Google Play’s door in droves: With the help of machine learning, security specialists removed 700,000 malicious apps from the store last year.

Like the Red Drop malware revealed in February, HeroRat circumvents Google Play, abusing the trust mobile device users often place in alluring applications.

UPDATE, 1:11 p.m. EDT: In response to a request for comment from Cyberscoop on Twitter, Telegram said the following:

“This [malware] doesn’t target Telegram users specifically, merely uses the Telegram bot API to communicate with its owner. See the ‘How to stay safe’  section in the article for protection tips. (In a word: Don’t install apps from unknown sources).”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts