Powered via Telegram bots and distributed through android applications, Android.spy.377.origin is a new Trojan Spyware, specifically targeting Iranian users to collect confidential data. Cyber-criminals remotely control the spyware by executing commands using message-exchange protocol of Telegram. Malicious programs are named Insta Plus, Profile Checker, and Cleaner Pro. Telegram Vulnerability & Spyware Functions As Telegram message exchange protocol provides simple method of communication, attacker does not need to enable port forwarding on victim\u2019s device. However attacker first need to develop their own Bot, token generated by this Bot is embedded into Trojan\u2019s configuration file. Once the victim device is infected, the attacker is able to control it through the automatically created channel. After being launched, program offers user to check their profile rating among other telegram users. Victim is asked to provide their personal ID, Trojan then generates an arbitrary number of profile visitors without performing any real check. After this apparent legitimate function, program removes its shortcut from home screen, hides itself and start copying contact list, SMS, and Google account data in text files in the directory \/Android\/data\/ . \u2022 \u2014 contains information about contacts \u2022 \u2014 contains information about all saved incoming and outgoing SMS \u2022 \u2014 contains information about the user Google account Besides this Trojan is also able to take photo with front camera, which along with other text files, is loaded to command and control server. Android.spy.377.origin then connects to Telegram bot, sends user\u2019s information to bot and waits for further commands from spyware developers. It may receive following commands: \u2022 call \u2014 make a phone call \u2022 sendmsg \u2014 send an SMS \u2022 getapps \u2014 forward information about the installed applications to the server \u2022 getfiles \u2014 forward information about all the available files to the server \u2022 getloc \u2014 forward device location information to the server \u2022 upload \u2014 upload to the server the file that is indicated in a command and stored on the device \u2022 removeA \u2014 delete from the device the file specified in a command \u2022 removeB \u2014 delete a file group \u2022 lstmsg \u2014 forward to the server the file containing information about all the sent and received SMS, including sender and recipient phone numbers, and message contents Some of the files sent to Telegram Bot Trojan tracks SMS and alerts the developers\u2019 Telegram bot whenever new message is sent or received or the device location is changed. Unfortunately all Telegram users have now become official target of the newly created Android.spy.377.origin Trojan Attack despite the encrypted communication of the messenger. In order to protect their data, users should install applications developed and distributed only by authentic sources.