Posted on January 10, 2023 at 4:46 PM
StrongPity, a known advanced persistent threat (APT) group, has launched a malicious campaign targeting Android users. The hacking group uses a trojanized version of Telegram using a fake website that has impersonated Shagle, a video chat service platform.
StrongPity APT group targets Android users
According to Lukás Stefanko, an ESET malware researcher, the hackers used a fake website that mimicked the Shagle video chat service to distribute the StrongPity mobile backdoor application.
In a technical report outlining the operations of this threat actor group, Stefanko said that the app used to distribute this malware was a modified copy of the Telegram messaging application that had been repackaged using the backdoor code created by the StrongPity APT group.
The StrongPity hacking group also goes by other names, such as APT-C-41 and Promethium. The group conducts cyber-espionage campaigns, with its first malicious activities dating back to around 2021.
The majority of the early operations conducted by the hacking group were focused on Turkey and Syria. However, StrongPity has diversified its operations over the years to target Africa, Asia, Europe, and North America. The intrusions in the sector have leveraged watering hole attacks and phishing messages launched to target the killchain.
One of the things that StrongPity is known for is targeting victims using fake websites that plan to provide various software tools. The group then tricks these victims into downloading fake versions of genuine apps.
In December 2021, a report by Minerva Labs revealed a three-stage attack campaign sequence that came from the execution of a Notepad ++ setup file. The file was used to launch a backdoor into the infected devices. In 2021, the threat actor group was also detected launching Android malware by gaining unauthorized access to the e-government portal of Syria. It later replaced the official APK file of the Android device with a rogue one.
The latest report by the ESET researcher shows that the hacking group is still using a similar mode of operation. The operation has been created to distribute a higher version of the android backdoor. The backdoor can conduct a wide range of functions, such as record phone calls, track devices, and collect a wide range of user information, including files, contact lists, SMS messages, and call logs.
Malware has the potential to gather user information
The malware can also gain access permission to services, which enables it to tap into incoming notifications and messages from other applications such as Instagram, Gmail, Messenger, Skype, LINE, Snapchat, Telegram, Tinder, WeChat, and Viber.
The report by ESET said that the implant was a modular and could be used to download additional features through a remote command-and-control server. The implant could do this to support the changing goals of the hacking campaign launched by StrongPity.
The hackers also ensure that the backdoor operates stealthily. It uses a backdoor hidden within the legitimate version of the Telegram app. The version was available for download early last year. However, the fake version of the Shagle website is no longer operational. However, signs show that the hackers’ activity was “very narrowly targeted.”
There are no signs that the fake app was listed on the Google Play Store platform. It has not been determined how the potential victims of this malicious campaign were lured into using the fake website and whether techniques like fraudulent ads, social engineering, and tampering with the search engine were used.
According to Stefanko, the fake website’s malicious domain was registered the same day the malicious app was made available for download. Therefore, the fake website and the Shagle app could have been available for download since the day that they were registered.
The hackers have also gone the extra mile to avoid suspicion. One of the interesting features of this malicious campaign is that the malicious version of the Telegram messaging app uses a package similar to the genuine Telegram application. This means that the backdoor variant cannot be downloaded on a device that has already installed the real Telegram app.
Stefanko noted that this modus operandi indicated that the threat actor could have initial communication with the potential victims where they are encouraged to uninstall Telegram from their devices so that the malicious app can be installed. The hackers could also be targeting countries that do not have many Telegram users.