ESET announces a new StrongPity campaign, in which APT distributes a fake Shagle application, which is a Trojan version of Telegram for Android with the addition of a backdoor.

Shagle is a platform for conducting random video chats, allowing strangers to communicate over an encrypted communication channel. However, the platform is completely web-oriented and does not have a mobile application.

The researchers found out that since 2021, StrongPity has launched a fake Shagle website, tricking victims into downloading a malicious Android application, which, after installation, spies on targets, including intercepting phone calls, SMS and copying the contact list. 

However, the first confirmed discovery of the APK of the application in the wild occurred in July 2022.

Based on the similarity of the code with past payloads, the activity of StrongPity is attributed to the APT group, also known as Promethium or APT-C-41, previously seen in the distribution of Notepad++ Trojan installers and malicious versions of WinRAR and TrueCrypt.

In addition, the Android application is signed with the same certificate that APT used to sign the imitating Syrian e-government application for Android during the 2021 campaign.

The malicious Android application distributed by StrongPity, probably through a targeted phishing mailing list, is a standard Telegram application version 7.5.0 (February 2022) in the form of a video.apk APK file modified for Shagle.

At the same time, if the victim has already legitimately installed the Telegram application on the phone, then the installation of the backdoor version will not start.

After installation, the malware requests access to the special features service, and then receives a file encrypted with AES from the attacker's C2.

The file includes 11 binary modules extracted to the device and used by the backdoor to perform various functions: from recording telephone conversations (libarm.Instagram, WeChat, Snapchat, Tinder, Instagram, Twitter, Gmail, etc. (jar) before monitoring correspondence in Messenger, Viber, Skype, WeChat, Snapchat, Tinder, Instagram, Twitter, Gmail, etc.(phone.jar ).

The collected data is stored in the application directory, encrypted with AES, and eventually sent back to the attacker's C2.

On "rooted" devices, malware automatically grants itself permission to change security settings, write to the file system, reboot, and other key functions.

According to ESET, by now the API in the captured samples has already fallen off due to overuse, indicating that StrongPity has successfully deployed malware on targeted victims.

Thus, given that StrongPity has been active since 2012, the attacker continues to use proven tactics even after a decade.