Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chat Apps. Show all posts

StrongPity Hackers Disseminate Trojanized Telegram App to Android Users

 

The StrongPity APT hacking group is disseminating a bogus Shagle chat app that is a trojanized version of the Telegram for Android app with a backdoor added. Shagle is a legitimate random video chat platform that allows strangers to communicate through an encrypted communications channel. 

However, the platform is entirely web-based and does not include a mobile app. Since 2021, StrongPity has been using a phony website that impersonates the official Shagle site to trick victims into downloading a malicious Android. Once installed, this app allows hackers to spy on their targets by monitoring phone calls, collecting SMS texts, and stealing contact lists.

StrongPity, also known as Promethium or APT-C-41, was previously linked to a malware-infecting campaign that distributed trojanized Notepad++ installers and malicious versions of WinRAR and TrueCrypt.

ESET researchers found the latest StrongPity activity and linked it to the espionage APT group based on code similarities with previous payloads. Furthermore, the Android app is signed with the same certificate that the APT used to sign an app in a 2021 campaign that mimicked the Syrian e-gov Android application.

Trojanizing the Telegram app 

StrongPity's malicious Android app is an APK file called "video.apk," which is a modified version of the standard Telegram v7.5.0 (February 2022) app.

ESET was unable to determine how victims arrived at the bogus Shagle website, but it is most likely through spear phishing emails, smishing (SMS phishing), or online instant messages. The malicious APK is downloaded directly from the bogus Shagle website and has never appeared on Google Play.

According to ESET, the cloned site first appeared online in November 2021, so the APK has most likely been actively distributed since then. The first confirmed detection in the wild, however, occurred in July 2022. One disadvantage of using Telegram as the basis for the hacking group's fake app is that the backdoored version will not be installed if the victim already has the real Telegram app installed on their phones.

The API ID used in the captured samples has currently been limited due to overuse, so the trojanized app will no longer approve new user registrations; thus, the backdoor will not function. This, according to ESET, indicates that StrongPity malware was successfully deployed on targeted victims.

Backdoor for spying on victims

When the malware is installed, it requests Accessibility Service access and then retrieves an AES-encrypted file from the attacker's command and control server. The file contains 11 binary modules that were downloaded to the device and used by the backdoor to perform various malicious functions.

Each module serves an espionage purpose and is activated as needed. The following is a complete list of the malicious spyware modules:
  • libarm.jar – records phone calls
  • libmpeg4.jar – collects text of incoming notification messages from 17 apps
  • local.jar – collects file list (file tree) on the device
  • phone.jar – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date
  • resources.jar – collects SMS messages stored on the device
  • services.jar – obtains device location
  • systemui.jar – collects device and system information
  • timer.jar – collects a list of installed apps
  • toolkit.jar – collects contact list
  • watchkit.jar – collects a list of device accounts
  • wearkit.jar – collects a list of call logs
The information gathered is saved in the app's directory, encrypted with AES, and then sent back to the attacker's command and control server.

The malware can read notification content from Messenger, Viber, Skype, WeChat, Snapchat, Tinder, Instagram, Twitter, Gmail, and other services by abusing the Accessibility Service. The malware automatically grants itself permission to change security settings, write to the filesystem, reboot, and perform other dangerous functions on rooted devices where the regular user has administrator privileges.

Since 2012, the StrongPity hacking group has been active, frequently hiding backdoors in legitimate software installers. According to ESET's report, the threat actor is still using the same tactic after a decade. Android users should exercise caution when downloading APKs from sources other than Google Play.

Alert! The Days of WhatsApp Are Gone? Stronger Competitor In The Market!


Joy all around for the social media fanatics who had gotten quite bored of WhatsApp being their only source of incessant chatting provisions. And to those as well who felt unsafe because of the recent spyware that hit the beloved social media chat application.

The word around is that a recently surfaced social media chat application could give strong competition to the Facebook-owned social media service.

The users were already quite disconcerted about the recent cyber threat that hit WhatsApp and were in desperate need of any substitute to satisfy their daily social cravings.

The celebrated application goes by the name of “Signal”. Its unique characteristic is its keen focus on the privacy of the users.

Per sources, Signal has planned out to move towards the big market and go “main-stream”, owing it to the substantial monetary support it received from WhatsApp’s co-founder.

The financial backing is to facilitate “Signal” in getting better features and attracting the attention of people who are sort of done with using WhatsApp and are in want of other options, for whatever reasons.

Reports mention that the launcher of ‘Signal’ had continually been working on getting everyone access to encrypted communications without much fuss.

Now it finally is time for Signal to enter the world it was originally created for in the first place. It is a revolutionized effort at forming a more secure cyber-space for the people.

With key agendas like privacy and cyber-security being the central constituents of Signal, the application is sure to win a lot of hearts.

In recent times WhatsApp has been all over the place because of the alleged cyber threats, like spyware, it has been leaving its users open to. Because of which people’s trust over it has been withering gradually.

Per valid sources, Signal is special because it is encrypted from end-to-end. Its servers do not store any sort of “conversation metadata” on them. This especially was quite a hefty task for the developers to work their way around. They also had to work on enabling “group administration” to let people add and remove members without the servers’ knowledge. But they did it.

Hence, at a time like this, Signal is a very welcome blessing for social media fanatics who have become so used to social applications that they can’t imagine their lives without them.