StrongPity APT spreads backdoored Android Telegram appSecurity Affairs | Relic Tech

The StrongPity APT group focused Android customers with a Trojan model of the Telegram app served through an internet site posing as a video chat service known as Shagle.

ESET researchers reported that the StrongPity APT group focused Android customers with a Trojan model of the Telegram app. The marketing campaign has been energetic since November 2021, risk actors served up the malicious app through an internet site posing as a video chat service known as Shagle.

The specialists famous that Shagle’s service is out there solely by way of the net interface and doesn’t have a cellular app.

“A copycat web site, which mimics the Shagle service, is used to distribute StrongPity’s backdoor cellular app.” learn the report revealed by ESET. “The app is a modified model of the open supply Telegram app, repackaged with the StrongPity backdoor code.”

The included faux web site’s HTML code was copied from the legit shagle.com web site on November 1, 2021, utilizing a instrument known as HTTrack, whereas the area was registered on the identical day.

The researchers famous that just one different Android marketing campaign has been beforehand attributed to the StrongPity group.

The StrongPity APT group has been energetic since a minimum of 2013, it’s chargeable for cyberespionage campaigns in opposition to Turkish targets. The group used zero-day exploits, social engineering methods, and Computer virus software program droppers to ship malware to their victims.

The attribution to the APT group relies on similarities to the earlier StrongPity backdoor code.

The StrongPity modular backdoor used on this marketing campaign helps a number of spying options, together with recording telephone calls, accumulating SMS messages, name log lists, contact lists, and way more. That is the primary time that cybersecurity researchers have documented all 11 modules utilized by the backdoor. By granting the accessibility companies of the malicious StrongPity app, one of many modules can have entry to incoming notifications and can be capable of filter communication from 17 cellular apps, together with Viber, Skype, Gmail, Messenger, Snapchat, Telegram, Tinder, and Twitter.

“The marketing campaign is prone to be very narrowly focused as ESET telemetry has but to establish any victims.” report continues. “Throughout our investigation, the examined model of the malware accessible on the imitation web site was now not energetic and it was now not doable to put in it appropriately and activate its backdoor performance as a result of StrongPity didn’t acquire its personal API ID for its Trojan Telegram utility. ”

ESET speculates that the risk actor may determine to replace the malicious utility to hold out extra assaults sooner or later.

The Trojan utility was not uploaded to the Google Play retailer, it was distributed solely by way of the faux web site found by the specialists.

The researchers famous that the backdoor model of Telegram used within the marketing campaign makes use of the identical package deal identify because the legit Telegram app, which means that it can’t be put in on a tool that already has Telegram put in.

Specialists argued that the marketing campaign could have been geared toward international locations the place Telegram isn’t standard.

“Code evaluation reveals that the backdoor is modular and that extra binary modules are downloaded from the C&C server. Because of this the quantity and sort of modules used may be modified at any time to swimsuit marketing campaign requests when operated by the StrongPity group.” concludes the report. “Based mostly on our evaluation, this seems to be the second model of StrongPity’s Android malware; In comparison with its first model, it additionally misuses accessibility companies and notification entry, shops collected knowledge in an area database, tries to run su and instructions, for many of the assortment of knowledge, use downloaded modules”.

Observe me on twitter: @safetyissues Y Fb Y Mastodon

Pierluigi Paganini

(Safety Points – hacking, android)

---

share on