StrongPity, the APT group from Turkey, has been observed using malicious Android applications to target Syrian government officials. It is for the first time that the adversary has employed Android malware in its attacks, which is a trojanized and modified version of the victim’s Android application.
What has happened?
An investigation conducted by Trend Micro revealed that the new malicious app can steal contact lists and gather files with specific extensions from the infected device.
The malicious APK is believed to be spreading via a watering hole attack.
The attackers were probably able to compromise the official Syrian e-Gov website and subsequently, replaced the official Android application file with the fake malicious one.
The URL, where the malicious APK file was being hosted (https://egov[.]sy/mobile/egov[.]apk), was found serving a clean version of the app again, indicating that the malicious version has now been removed.
Additional info
The URL that was used to deliver the malicious APK file had at least six other versions of the same application, as well as matching package names (com[.]egov[.]ap[p].*) available on VirusTotal.
Researchers verified all of these samples and stated that all of these app versions were not harmful. These earlier versions were developed between February 2020 and March 2021.
Moreover, some antivirus solution providers detected the malicious application sample as Bahamut. However, no confident assertion could be made.
Conclusion
By developing an Android-based malware, the StrongPity APT group has attempted to expand its attack scope. Targeting a government’s application portal to bypass Android security signifies that the threat actor is focused, motivated, and has clear plans for achieving their objectives.