Redazione RHC : 16 September 2025 10:36
F6 and RuStore experts report having discovered and blocked 604 domains that were part of the infrastructure of hackers who infected mobile devices with the DeliveryRAT Trojan. The malware masqueraded as food delivery apps, marketplaces, banking services, and package tracking services.
In the summer of 2024, F6 analysts discovered a new Android Trojan, called DeliveryRAT. Its main task was to collect confidential data for loan processing in microfinance organizations, as well as steal money through online banking.
Subsequently, the Bonvi team’s Telegram bot was discovered, in which DeliveryRAT was distributed using the MaaS (Malware-as-a-Service) scheme. It turned out that, via the bot, the attackers received a free sample of the Trojan, after which they had to deliver it to the victim’s device themselves.
The bot’s owners offered two options: download the compiled APK or get a link to a fake site, supposedly generated separately for each worker.
Victims’ devices were infected using several common scenarios. “To attack the victim, the attackers used various ingenious scenarios: they created fake buy and sell ads or fake remote job postings with a high salary,” says Evgeny Egorov, senior analyst at F6’s Digital Risk Protection Department. “Then, the conversation with the victim is transferred to messaging services, and the victim is persuaded to install a mobile application, which turns out to be malicious.”
The attackers create ads with discounted products on marketplaces or in fake stores. Posing as a seller or manager, the criminals contact the victim via Telegram or WhatsApp, and during the conversation, the victim provides them with their personal data (recipient’s full name, order delivery address, and phone number). To track the fake order, the operator asks to download a malicious application.
Hackers also create fake remote job ads with favorable conditions and a good salary. Communication with the victim is also transferred to messaging services, where they first collect their data: SNILS, credit card number, phone number, and date of birth. Then, the scammers ask to install a malicious application, supposedly necessary for the job.
In addition, experts have detected the distribution of advertising posts on Telegram inviting people to download an application infected with DeliveryRAT. In this case, the malware was usually disguised as apps with discounts and promotional codes.
The report emphasizes that this fraudulent scheme is widespread because creating links generated in Telegram bots does not require any special technical knowledge. The researchers also state that the scheme’s main feature is the high degree of process automation.
Redazione