ESET researchers identified an active StrongPity APT group campaign leveraging a fully functional but trojanized version of the legitimate Telegram app, which despite being non-existent, has been repackaged as „the“ Shagle app.
This StrongPity backdoor contains several espionage features, including 11 dynamically activated modules that are in charge of call recording, SMS message collection, contact list collection, call log collection, and much more. This is the very first time these modules have ever been publicly documented.
If the victim grants the malicious StrongPity app notification access and accessibility services, the app will also have access to incoming notifications from 17 apps such as Viber, Skype, Gmail, Messenger, and Tinder, and will be able to exfiltrate chat communication from other apps. The campaign is likely very narrowly targeted since ESET telemetry still hasn’t identified any victims.
The imitation Shagle website only offers an Android app to download; there is no option for web-based streaming, in contrast to the authentic Shagle website, which is web-based and does not give an official mobile app to access its services. The Google Play store has never made this trojanized Telegram app available.
The malicious code, its functionality, class names, and the certificate used to sign the APK file are identical to the previous campaign; thus ESET believes with high confidence that this operation belongs to the StrongPity group. Code analysis revealed that the backdoor is modular and additional binary modules are downloaded from the C&C server. This means that the number and type of modules used can be changed at any time to fit the campaign requests when operated by the StrongPity group.
Lukáš Štefanko, the ESET researcher who analyzed the trojanized Telegram app said “During our research, the analyzed version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install and trigger its backdoor functionality. This is because StrongPity hasn’t obtained its own API ID for its trojanized Telegram app. But that might change at any time should the threat actor decide to update the malicious app.”
The repacked version of telegram uses the same package name as the legitimate Telegram app. Package names are supposed to have unique IDs for each single android app and they should be unique on every device. It means that if a device already has the official telegram app installed in it it can not have the backdoored version in it.
Štefanko added “This might mean one of two things – either the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed, or the campaign focuses on countries where Telegram usage is rare for communication.”
StrongPity’s app should have supported standard APIs that are fully described on the Telegram website, just as the official version does for communication, however, it no longer does. If the victim authorises the app notification access and turns on accessibility services, this StrongPity backdoor has more advanced spying capabilities than the initial StrongPity virus identified for mobile devices. It can spy on incoming alerts and exfiltrate chat communication.
