Pierluigi Paganini January 10, 2023

The StrongPity APT group targeted Android users with a trojanized version of the Telegram app served through a website impersonating a video chat service called Shagle.

ESET researchers reported that StrongPity APT group targeted Android users with a trojanized version of the Telegram app. The campaign has been active since November 2021, threat actors served the malicious app through a website impersonating a video chat service called Shagle.

The experts highlighted that the Shagle service is available only via web interface and doesn’t have a mobile app.

“A copycat website, mimicking the Shagle service, is used to distribute StrongPity’s mobile backdoor app.” reads the report published by ESET. “The app is a modified version of the open-source Telegram app, repackaged with StrongPity backdoor code.”

The HTML code of the fake site includes was copied from the legitimate shagle.com site on November 1st, 2021, using a tool called HTTrack, while the domain was registered on the same day.

The researchers pointed out that only one other Android campaign has been previously attributed to the StrongPity group.

StrongPity APT group has been active since at least 2013, it’s responsible for cyberespionage campaigns against Turkish targets. The group used zero-day exploits, social engineering tricks, and Trojanized software installers to deliver malware to their victims.

The attribution to the APT group is based on similarities with the previous StrongPity backdoor code.

The StrongPity modular backdoor employed in this campaign supports multiple spying features, including recording phone calls, collecting SMS messages, lists of call logs, contact lists, and much more. This is the first time that cybersecurity researchers documented the 11 modules used by the backdoor. Upon granting the malicious StrongPity app accessibility services, one of the modules will achive access to incoming notifications and will be able to exfiltrate communication from 17 mobile apps, including Viber, Skype, Gmail, Messenger, Snapchat, Telegram, Tinder, and Twitter.

“The campaign is likely very narrowly targeted, since ESET telemetry still doesn’t identify any victims.” continues the report. “During our research, the analyzed version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install it and trigger its backdoor functionality because StrongPity hasn’t obtained its own API ID for its trojanized Telegram app.”

ESET speculates that the threat actor could decide to update the malicious app to carry out further attacks in the future.

The Trojanized app was not uploaded to the Google Play store, it was distributed only through the rogue website discovered by the experts.

The researchers noticed that the backdoored Telegram version employed in the campaign uses the same package name as the legitimate Telegram app, this implies that it cannot be installed on a device that already has Telegram installed.

Experts argued that the campaign may have been aimed at countries where Telegram is not popular.

“Code analysis reveals that the backdoor is modular and additional binary modules are downloaded from the C&C server. This means that the number and type of modules used can be changed at any time to fit the campaign requests when operated by the StrongPity group.” concludes the report. “Based on our analysis, this appears to be the second version of StrongPity’s Android malware; compared to its first version, it also misuses accessibility services and notification access, stores collected data in a local database, tries to execute su commands, and for most of the data collection uses downloaded modules.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]