HomeAppsStrongPity APT group targets Android users with trojanized Telegram app: ESET Research

StrongPity APT group targets Android users with trojanized Telegram app: ESET Research

Reader's Pick

ESET researchers identified an active StrongPity APT group campaign leveraging a fully functional but trojanized version of the legitimate Telegram app, which despite being non-existent, has been repackaged as the Shagle app.

This StrongPity backdoor has various spying features: it is 11 dynamically triggered modules that are responsible for recording phone calls, collecting SMS messages, collecting lists of call logs, and contact lists, and much more. These modules are being published publicly for the first time.

If the victim grants the malicious StrongPity app notification access and accessibility services, the app will also have access to incoming notifications from 17 apps such as Viber, Skype, Gmail, Messenger, and Tinder, and will be able to exfiltrate chat communication from other apps. The campaign is likely very narrowly targeted since ESET telemetry still hasn’t identified any victims.

Unlike the entirely web-based, genuine Shagle site, which doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download, with no web-based streaming possible. This trojanized Telegram app has never been made available in the Google Play store.

- Advertisement -

The malicious code, its functionality, class names, and the certificate used to sign the APK file are identical to the previous campaign; thus ESET believes with high confidence that this operation belongs to the StrongPity group. Code analysis revealed that the backdoor is modular and additional binary modules are downloaded from the C&C server. This means that the number and type of modules used can be changed at any time to fit the campaign requests when operated by the StrongPity group.

“During our research, the analyzed version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install and trigger its backdoor functionality. This is because StrongPity hasn’t obtained its API ID for its trojanized Telegram app. But that might change at any time should the threat actor decide to update the malicious app,” says Lukáš Štefanko, the ESET researcher who analyzed the trojanized Telegram app.

The repackaged version of Telegram uses the same package name as the legitimate Telegram app. Package names are supposed to be unique IDs for each Android app and must be unique on any given device. This means that if the official Telegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed.

“This might mean one of two things – either the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed, or the campaign focuses on countries where Telegram usage is rare for communication,” adds Štefanko.

- Advertisement -

StrongPity’s app should have worked just as the official version does for communication, using standard APIs that are well documented on the Telegram website, but it no longer does. Compared to the first StrongPity malware discovered for mobile, this StrongPity backdoor has extended spying features. It is able to spy on incoming notifications and exfiltrate chat communication if the victim grants the app notification access and activates accessibility services.

close

Stay on top of Budget 2023 with our newsletter

We don’t spam! Read our privacy policy for more info.

close

Stay on top of Budget 2023 with our newsletter

We don’t spam! Read our privacy policy for more info.

- Advertisement -

Read latest Business News and Startup news on TechGraph. Watch live and latest news on TechGraph TV. Follow us on Facebook or follow us on Twitter and Instagram. Listen audio news from TechGraph Briefings on Spotify, Google Podcast, Amazon Music & on Apple Podcast.
 

Krishna Mali
Krishna Mali
Founder & Editor of TechGraph.

Latest News

Promoted Links

Related Stories

Japan approves 26 trillion yen as economic stimulus package to combat overseas risks

Japan's cabinet approved an economic stimulus package worth 26 trillion yen ($2...

Sino-US trade war offers Europe’s chance to bank more Chinese reserves: Analysis

Should European countries want the euro to replace the dollar as the world's do...

1Win App: Review India Apk for Android and iOS

The company 1Win has been successfully operating in the markets of many countri...

Employees union seeks FIR against Jet Airways boss Naresh Goyal, Vinay Dube and on SBI Chairman

The employee union of Jet Airways, which is facing its worst crisis, Friday sou...

Samsung Electronics asks its shareholders to use electronic voting for upcoming AGM

Technology giant Samsung Electronics has adopted electronic voting for the firs...

Rahul Gandhi hits on RCEP says, ‘Make in India’ has become ‘Buy from China’

Asserting that "Make in India" has become "Buy from China," Congress leader Rah...

NASA astronauts to carry first ever all-female spacewalk on 29 March

Two NASA astronauts are scheduled to carry out the first ever all-female spacew...

Google joins Progcap $40 million funding round

Progcap, a New Delhi-based fintech platform for small and mid-size businesses (...

How AI Is Crucial For Business Strategy Management

There is no doubt that AI has been reshaping the business strategies world over...

Ampere Electric to setup e-mobility manufacturing plant in Tamil Nadu

Electric Mobility Company Ampere Electric has announced a phased investment pot...