Go to listing page

StrongPity APT Uses Trojanized Telegram App to Backdoor its Victims

StrongPity APT Uses Trojanized Telegram App to Backdoor its Victims
StrongPity, also known as APT-C-41 and Promethium, is a cyberespionage group active since at least 2012, with a majority of its operations focused on Syria and Turkey. The group has not changed its attack tactics drastically even after a decade, however, it continues to keep updating its tactics to make the attacks as efficient as possible. Recently, StrongPity was found distributing a fake Android app using a fake site that mimics Shagle, a legitimate random-video-chat platform.

The recent update

  • According to ESET researchers, the fake site is a cloned Shagle website that tricks victims into downloading the malicious APK file (video.apk).
  • In reality, the app is a trojanized version of the standard Telegram v7.5.0 (February 2022) for Android with an added modular backdoor. 
  • The site has been active since November 2021 and was first discovered in July 2022.

Functionalities 

Upon installation, the app requests access to Accessibility Service and fetches an AES-encrypted file from the threat actor's C2 server.
  • This file contains 11 binary modules, dynamically executed by the backdoor to perform various actions on the victim’s device.
  • These modules enable the attackers to conduct espionage on the victims, including recording phone calls, tracking device locations, and collecting SMS messages, call logs, contacts lists, and files.
  • In addition, granting the malware Accessibility Services permissions enables it to read notification content from various apps such as Gmail, Hangouts, Instagram, Kik, LINE, Messenger, Skype, Snapchat, Tango, Telegram, Tinder, Twitter, Viber, and WeChat.

The stolen data is stored in the app's directory, encrypted using AES, and sent back to the threat actor's C2 server.

Worth noting

  • The group used the same certificate to sign the Android app, which it used to sign an app mimicking the Syrian e-gov Android application in a 2021 campaign.
  • The backdoored version of the app won't be installed if the victim already has the real Telegram app installed on their phones.
  • Experts found that the API ID used in the captured samples has been limited due to overuse, which indicates that the group has successfully deployed the malware on targeted victims.
  • More notably, the additional binary modules of the backdoor are downloaded from the C2 server. This signifies that the attacker can change the number and type of modules at any time.

Wrapping up

One of the main hallmarks of StrongPity is its use of counterfeit websites that purport to offer a wide variety of software, only to trick victims into downloading trojanized versions of legitimate apps. Thus, Android users are recommended to be cautious with APKs sourced through third-party sites and pay attention to permission requests while installing new apps.
Cyware Publisher

Publisher

Cyware