There’s a nasty new Android remote access Trojan (RAT) going around, and it’s capable of giving anyone GUI-based control over an infected device.
Called HeroRat, this new suite of control tools abuses the Telegram messaging protocol popular with Android users to give attackers an alarming amount of access to infected devices, like recording calls, sending SMS messages, installing and uninstalling apps, and more.
HeroRat was discovered by ESET when the security company was researching the widespread growth of Android RATs that target Telegram, which are freely available for download online. HeroRat has a different distribution model, and instead of being found for free in hacking forums and Telegram channels it costs money.
Paying for HeroRat gets a potential cybercriminal access to video tutorials, support, and different features based on which pricing tier you purchase.
HeroRat has been found in the wild, but so far it’s mostly targeting users in Iran. As easy to use and feature packed as HeroRat is, that’s not likely to last for long, so it’s important to know how to protect yourself before it spreads further.
Protecting yourself from HeroRat and other Android RATs
HeroRat is tricky, but it isn’t impossible to prevent and detect. Here are several tips.
Beware your app installation sources
Ingress channels for Android malware are limited, and the same goes for HeroRat. It doesn’t utilize any new tricks to get itself onto Android devices and hasn’t been found in the official Google Play store, so advice for preventing infections stands: Don’t install anything that comes from unofficial sources.
SEE: Quick glossary: Malware (Tech Pro Research)
Even when using Google Play to find apps, be sure to read reviews and check the company out before installing an app—Google has been notoriously bad about keeping malware out of Google Play, so any installation should be approached with caution.
HeroRat is spreading itself via third-party app stores, messaging apps, and social media. It uses attractive offers, like free Bitcoin, to trick users into downloading it, at which point it says it won’t work on the affected system before “uninstalling” itself. Instead of actually being uninstalled it deletes its icon and registers itself with the attacker as a newly accessible device and then uses Telegram’s bot functionality to take control.
SEE: Password managers: How and why to use them (free TechRepublic PDF)
Install antivirus software
Smartphones aren’t any safer than traditional computers at this point, so don’t skip on installing a good antivirus platform. ESET said that its mobile software will detect HeroRat and similar RATs, and other trusted security apps should be able to as well.
Watch what permissions an app requests
Another sticking point that Android malware has to get past is requesting admin access to certain system functions before installation. HeroRat is no different in this regard, and infected users will be safe if they simply don’t grant access to what it wants.
Legitimate apps need access to system functions too, but the key thing to watch out for is what’s being requested. HeroRat asks for some specific permissions, like locking the screen, altering password requirements, and erasing the entire device. Any one of those should raise a red flag, and all of them together should set off alarm bells.
If you’re ever in doubt that what an app is requesting is legitimate, don’t grant it—a legitimate app should work fine without it and a malicious one won’t be able to infect you if you exercise caution.
The big takeaways for tech leaders
- A new Android RAT, HeroRat, is spreading via third-party app stores and messaging services and can take complete control of infected devices.
- HeroRat relies on traditional methods to infect Android devices. Users are advised to install apps only from official sources, keep updated anti-malware software installed, and always check app permissions.
How do you help your users protect against threats like HeroRat? Share your advice with fellow TechRepublic members.