The StrongPity APT hacking group is disseminating a bogus Shagle chat app that is a trojanized version of the Telegram for Android app with a backdoor added.
Shagle is a legitimate random video chat platform that allows strangers to communicate through an encrypted communications channel.
However, the platform is entirely web-based and does not include a mobile app.
Since 2021, StrongPity has been using a phony website that impersonates the official Shagle site to trick victims into downloading a malicious Android.
Once installed, this app allows hackers to spy on their targets by monitoring phone calls, collecting SMS texts, and stealing contact lists.
StrongPity, also known as Promethium or APT-C-41, was previously linked to a malware-infecting campaign that distributed trojanized Notepad++ installers and malicious versions of WinRAR and TrueCrypt.
ESET researchers found the latest StrongPity activity and linked it to the espionage APT group based on code similarities with previous payloads. Furthermore, the Android app is signed with the same certificate that the APT used to sign an app in a 2021 campaign that mimicked the Syrian e-gov Android application.
Trojanizing the Telegram app
StrongPity's malicious Android app is an APK file called "video.apk," which is a modified version of the standard Telegram v7.5.0 (February 2022) app.
ESET was unable to determine how victims arrived at the bogus Shagle website, but it is most likely through spear phishing emails, smishing (SMS phishing), or online instant messages. The malicious APK is downloaded directly from the bogus Shagle website and has never appeared on Google Play.
According to ESET, the cloned site first appeared online in November 2021, so the APK has most likely been actively distributed since then. The first confirmed detection in the wild, however, occurred in July 2022. One disadvantage of using Telegram as the basis for the hacking group's fake app is that the backdoored version will not be installed if the victim already has the real Telegram app installed on their phones.
The API ID used in the captured samples has currently been limited due to overuse, so the trojanized app will no longer approve new user registrations; thus, the backdoor will not function. This, according to ESET, indicates that StrongPity malware was successfully deployed on targeted victims.
Backdoor for spying on victims
When the malware is installed, it requests Accessibility Service access and then retrieves an AES-encrypted file from the attacker's command and control server. The file contains 11 binary modules that were downloaded to the device and used by the backdoor to perform various malicious functions.
Each module serves an espionage purpose and is activated as needed. The following is a complete list of the malicious spyware modules:
- libarm.jar – records phone calls
- libmpeg4.jar – collects text of incoming notification messages from 17 apps
- local.jar – collects file list (file tree) on the device
- phone.jar – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date
- resources.jar – collects SMS messages stored on the device
- services.jar – obtains device location
- systemui.jar – collects device and system information
- timer.jar – collects a list of installed apps
- toolkit.jar – collects contact list
- watchkit.jar – collects a list of device accounts
- wearkit.jar – collects a list of call logs
The information gathered is saved in the app's directory, encrypted with AES, and then sent back to the attacker's command and control server.
The malware can read notification content from Messenger, Viber, Skype, WeChat, Snapchat, Tinder, Instagram, Twitter, Gmail, and other services by abusing the Accessibility Service. The malware automatically grants itself permission to change security settings, write to the filesystem, reboot, and perform other dangerous functions on rooted devices where the regular user has administrator privileges.
Since 2012, the StrongPity hacking group has been active, frequently hiding backdoors in legitimate software installers. According to ESET's report, the threat actor is still using the same tactic after a decade. Android users should exercise caution when downloading APKs from sources other than Google Play.
