Criminals are hiding in Telegram – but backdoors are not the answer

When it comes to an easy life, the criminals behind the fearful Anubis banking malware have become big fans of Twitter and, increasingly, the secure messaging of Telegram.

There’s nothing new in malware piggybacking on popular services but why Twitter and Telegram, and is the recent migration to secure messaging significant?

As SophosLabs explains in a new analysis, Anubis borrows these services to host the command and control (C2) instructions malware reaches out for after first installing on a target system.

Twitter is attractive because its popularity and ubiquity means that its domains are less likely to be blocked by web filtering.

Despite this, SophosLabs has recently noticed Anubis moving from Twitter to use Telegram almost exclusively, on the face of it a strange thing to do.

Perhaps Twitter’s in-house security has got better at whacking the mole – blocking the Anubis domains as quickly as they are set up. Malware writers know that’s going to happen at some point but if it’s within minutes or a few hours, that can be inconvenient.

In fact, Telegram is also quite good at suspending accounts that abuse its service in this way. Nevertheless, writes SophosLabs’ researcher, Jagadeesh Chandraiah:

By the time Telegram removes the account being used for C2, it’s likely that several victims have already installed the malware and obtained their initial C2 server address from the malevolent Telegram account.

That Anubis has also taken to using Chinese characters as a form of obfuscation perhaps offers a clue to the criminals’ motivation – it’s an attempt to buy a bit more time by making things more complicated for malware analysts.

Hiding in Telegram

Perhaps the criminals think that using Telegram – a service that employs well-regarded end-to-end encryption to secure its messages from prying eyes – will keep their traffic hidden.

If so, they’re wrong. While Telegram messages sent to and fro are encrypted, Android system logs created by the apps that spearhead Anubis aren’t. These, SophosLabs discovered, can be read quite easily.

That, it might be argued, is a lucky technical break. A future version might uncover a way of avoiding leaving such a trail in the clear, taking its C2 communication beyond the ken of researchers.

Having its security borrowed to hide bad stuff is something that’s dogged platforms like Telegram almost from the start. It’s not alone either – WhatsApp, Facebook Messenger and others have also been implicated at different times.

What appeals to criminals isn’t simply the encryption and bot automation of these platforms but the fact that there are now so many of them to choose from.

Most users pick a messaging platform because they know their friends use it too. Criminals face no such worries and can migrate from niche platform to niche platform to counter the possibility of snooping and infiltration.

It’s one reason why there have been calls to weaken the encryption offered by some of these platforms, but at best that would just cause criminals to move to new platforms, or perhaps even set up ones of their own.

After three decades of popularisation, good encryption is now well on its way to becoming something anyone can access, criminals included. While back doors have little chance of reversing this trend, SophosLabs’ research does underline how the device itself is still a major weakness.

The APIs are within reach of anyone but so are the devices from which these secure applications must operate.