ESET researchers identified an active StrongPity APT group campaign utilizing a fully functional but Trojanized version of the legitimate Telegram app which, while non-existent, has been repackaged as “the” Shagle app. This StrongPity backdoor has various spy features: its 11 dynamically triggered modules are responsible for recording phone calls, collecting SMS messages, collecting call logs and contact lists, and much more. These modules are publicly documented for the first time. If the victim grants notification access and accessibility services to the malicious StrongPity app, the app also has access to incoming notifications from 17 apps like Viber, Skype, Gmail, Messenger and Tinder and can exfiltrate chat communication from other apps. The campaign is likely very narrowly targeted as ESET telemetry has not yet identified any victims.
Unlike the fully web-based genuine Shagle site, which does not offer an official mobile app to access their services, the knock-off site only offers an Android app for download with no web-based streaming possible. This trojanized Telegram app has never been made available on the Google Play Store.
The malicious code, its functionality, class names and the certificate used to sign the APK file are identical to the previous campaign; Therefore, ESET is convinced that this operation belongs to the StrongPity group. Code analysis revealed that the backdoor is modular and additional binary modules are downloaded from the C&C server. This means that the number and type of modules used can be adjusted to campaign requirements at any time when operated by the StrongPity group.
“During our research, the analyzed version of the malware available on the copycat website was no longer active and it was no longer possible to successfully install and trigger its backdoor functionality. This is because StrongPity did not obtain its own API ID for its trojanized Telegram app. But that can change at any time should the threat actor decide to update the malicious app,” says Lukáš Štefanko, the ESET researcher who analyzed the trojanized Telegram app.
The repackaged version of Telegram uses the same package name as the legitimate Telegram app. Package names are meant to be unique identifiers for each android app and must be unique on each device. This means that if the official Telegram app is already installed on a potential victim’s device, this backdoor version cannot be installed. “This could mean one of two things – either the attacker first communicates with potential victims and urges them to uninstall Telegram from their devices if it is installed, or the campaign focuses on countries where Telegram is rarely used for communication ‘ adds Stefano.
StrongPity’s app should have worked just like the official version for communication, using standard APIs that are well documented on the Telegram website, but it doesn’t anymore. Compared to the first StrongPity malware detected for mobile devices, this StrongPity backdoor has advanced spying capabilities capable of spying on incoming notifications and exfiltrating chat communications if the victim grants the app notification access and enables accessibility features.
For more technical information on the latest StrongPity app, see the StrongPity spy campaign for Android users blog post on WeLiveSecurity. Be sure to follow ESET research on Twitterfor the latest news from ESET Research.