ESET researchers recognized an lively StrongPity marketing campaign distributing a trojanized model of the Android Telegram app, introduced because the Shagle app – a video-chat service that has no app model
ESET researchers recognized an lively marketing campaign that we’ve attributed to the StrongPity APT group. Lively since November 2021, the marketing campaign has distributed a malicious app by way of a web site impersonating Shagle – a random-video-chat service that gives encrypted communications between strangers. In contrast to the completely web-based, real Shagle web site that doesn’t provide an official cellular app to entry its providers, the copycat web site solely supplies an Android app to obtain and no web-based streaming is feasible.
- Just one different Android marketing campaign has been beforehand attributed to StrongPity.
- That is the primary time that the described modules and their performance have been documented publicly.
- A copycat web site, mimicking the Shagle service, is used to distribute StrongPity’s cellular backdoor app.
- The app is a modified model of the open-source Telegram app, repackaged with StrongPity backdoor code.
- Primarily based on similarities with earlier StrongPity backdoor code and the app being signed with a certificates from an earlier StrongPity marketing campaign, we attribute this menace to the StrongPity APT group.
- StrongPity’s backdoor is modular, the place all essential binary modules are encrypted utilizing AES and downloaded from its C&C server, and has numerous spying options.
The malicious app is, the truth is, a totally practical however trojanized model of the authentic Telegram app, nonetheless, introduced because the non-existent Shagle app. We are going to confer with it because the pretend Shagle app, the trojanized Telegram app, or the StrongPity backdoor in the remainder of this blogpost. ESET merchandise detect this menace as Android/StrongPity.A.
This StrongPity backdoor has numerous spying options: its 11 dynamically triggered modules are answerable for recording cellphone calls, gathering SMS messages, lists of name logs, contact lists, and way more. These modules are being documented for the very first time. If the sufferer grants the malicious StrongPity app accessibility providers, considered one of its modules may also have entry to incoming notifications and can be capable of exfiltrate communication from 17 apps akin to Viber, Skype, Gmail, Messenger in addition to Tinder.
The marketing campaign is probably going very narrowly focused, since ESET telemetry nonetheless doesn’t determine any victims. Throughout our analysis, the analyzed model of malware obtainable from the copycat web site was not lively anymore and it was not potential to efficiently set up it and set off its backdoor performance as a result of StrongPity hasn’t obtained its personal API ID for its trojanized Telegram app. However which may change at any time ought to the menace actor determine to replace the malicious app.
This StrongPity marketing campaign facilities round an Android backdoor delivered from a site containing the phrase “dutch”. This web site impersonates the authentic service named Shagle at shagle.com. In Determine 1 you may see the house pages of each web sites. The malicious app is supplied immediately from the impersonating web site and has by no means been made obtainable from the Google Play retailer. It’s a trojanized model of the authentic Telegram app, introduced as if it have been the Shagle app, though there’s at the moment no official Shagle Android app.
As you may see in Determine 2, the HTML code of the pretend web site consists of proof that it was copied from the authentic shagle.com web site on November 1st, 2021, utilizing the automated software HTTrack. The malicious area was registered on the identical day, so the copycat web site and the pretend Shagle app could have been obtainable for obtain since that date.
On July 18th, 2022, considered one of our YARA guidelines at VirusTotal was triggered when a malicious app and a hyperlink to a web site mimicking shagle.com have been uploaded. On the identical time, we have been notified on Twitter about that pattern, though it was mistakenly attributed to Bahamut. ESET telemetry information nonetheless doesn’t determine any victims, suggesting the marketing campaign is prone to have been narrowly focused.
The APK distributed by the copycat Shagle web site is signed with the identical code-signing certificates (see Determine 3) as a trojanized Syrian e-gov app found in 2021 by Trend Micro, which was additionally attributed to StrongPity.
Malicious code within the pretend Shagle app was seen within the earlier cellular marketing campaign by StrongPity, and implements a easy, however practical, backdoor. We’ve got seen this code getting used solely in campaigns performed by StrongPity. In Determine 4 you may see a few of the added malicious lessons with most of the obfuscated names even being the identical within the code from each campaigns.
Evaluating the backdoor code from this marketing campaign to that from the trojanized Syrian e-gov app (SHA-1: 5A5910C2C9180382FCF7A939E9909044F0E8918B), it has prolonged performance however with the identical code getting used to offer comparable capabilities. In Determine 5 and Determine 6 you may evaluate the code from each samples that’s answerable for sending messages between parts. These messages are answerable for triggering the backdoor’s malicious habits. Therefore, we strongly consider that the pretend Shagle app is linked to the StrongPity group.
As described within the Overview part of this blogpost, the pretend Shagle app has been hosted on the Shagle copycat web site, from which victims had to decide on to obtain and set up the app. There was no subterfuge suggesting the app was obtainable from Google Play and we have no idea how potential victims have been lured to, or in any other case found, the pretend web site.
In line with the outline on the copycat web site, the app is free and supposed for use to fulfill and chat with new folks. Nevertheless, the downloaded app is a maliciously patched Telegram app, particularly Telegram model 7.5.0 (22467), which was obtainable for obtain round February 25th, 2022.
The repackaged model of Telegram makes use of the identical package deal identify because the authentic Telegram app. Bundle names are alleged to be distinctive IDs for every Android app and should be distinctive on any given gadget. Which means if the official Telegram app is already put in on the gadget of a possible sufferer, then this backdoored model can’t be put in; see Determine 7. This may imply considered one of two issues – both the menace actor first communicates with potential victims and pushes them to uninstall Telegram from their units whether it is put in, or the marketing campaign focuses on nations the place Telegram utilization is uncommon for communication.
StrongPity’s trojanized Telegram app ought to have labored simply because the official model does for communication, utilizing normal APIs which can be nicely documented on the Telegram web site – however the app doesn’t work anymore, so we’re unable to examine.
Throughout our analysis, the present model of malware obtainable from the copycat web site was not lively anymore and it was not potential to efficiently set up it and set off its backdoor performance. Once we tried to enroll utilizing our cellphone quantity, the repackaged Telegram app couldn’t receive the API ID from the server, and therefore didn’t work correctly. As seen in Determine 8, the app displayed an API_ID_PUBLISHED_FLOOD error.
Primarily based on Telegram’s error documentation, it appears that evidently StrongPity hasn’t obtained its personal API ID. As an alternative, it has used the pattern API ID included in Telegram’s open-source code for preliminary testing functions. Telegram screens API ID utilization and limits the pattern API ID, so its use in a launched app ends in the error seen in Determine 8. Due to the error, it isn’t potential to enroll and use the app or set off its malicious performance anymore. This may imply that StrongPity operators didn’t suppose this by way of, or maybe there was sufficient time to spy on victims between publishing the app and it being deactivated by Telegram for APP ID overuse. Since no new and dealing model of the app was ever made obtainable by way of the web site, it’d counsel that StrongPity efficiently deployed the malware to its desired targets.
Because of this, the pretend Shagle app obtainable on the pretend web site on the time of our analysis was not lively anymore. Nevertheless, this may change anytime ought to the menace actors determine to replace the malicious app.
Parts of, and permissions required by, the StrongPity backdoor code are appended to the Telegram app’s AndroidManifest.xml file. As might be seen in Determine 9, this makes it straightforward to see what permissions are essential for the malware.
From the Android manifest we are able to see that malicious lessons have been added within the org.telegram.messenger package deal to look as a part of the unique app.
The preliminary malicious performance is triggered by considered one of three broadcast receivers which can be executed after outlined actions – BOOT_COMPLETED, BATTERY_LOW, or USER_PRESENT. After the primary begin, it dynamically registers extra broadcast receivers to observe SCREEN_ON, SCREEN_OFF, and CONNECTIVITY_CHANGE occasions. The pretend Shagle app then makes use of IPC (interprocess communication) to speak between its parts to set off numerous actions. It contacts the C&C server utilizing HTTPS to ship primary details about the compromised gadget and receives an AES-encrypted file containing 11 binary modules that will probably be dynamically executed by the mother or father app; see Determine 10. As seen in Determine 11, these modules are saved within the app’s inner storage, /information/consumer/0/org.telegram.messenger/recordsdata/.li/.
Every module is answerable for completely different performance. The listing of the module names is saved in native shared preferences within the sharedconfig.xml file; see Determine 12.
Modules are dynamically triggered by the mother or father app every time essential. Every module has its personal module identify and is answerable for completely different performance akin to:
- libarm.jar (cm module) – data cellphone calls
- libmpeg4.jar (nt module) – collects textual content of incoming notification messages from 17 apps
- native.jar (fm/fp module) – collects file listing (file tree) on the gadget
- cellphone.jar (ms module) – misuses accessibility providers to spy on messaging apps by exfiltrating contact identify, chat message, and date
- assets.jar (sm module) – collects SMS messages saved on the gadget
- providers.jar (lo module) – obtains gadget location
- systemui.jar (sy module) – collects gadget and system data
- timer.jar (ia module) – collects a listing of put in apps
- toolkit.jar (cn module) – collects contact listing
- watchkit.jar (ac module) – collects a listing of gadget accounts
- wearkit.jar (cl module) – collects a listing of name logs
All obtained information is saved within the clear in /information/consumer/0/org.telegram.messenger/databases/outdata, earlier than being encrypted utilizing AES and despatched to the C&C server, as you may see in Determine 13.
This StrongPity backdoor has prolonged spying options in comparison with the primary StrongPity model found for cellular. It might probably request the sufferer to activate accessibility providers and acquire notification entry; see Determine 14. If the sufferer permits them, the malware will spy on incoming notifications and misuses accessibility providers to exfiltrate chat communication from different apps.
Determine 14. Malware requests, from the sufferer, notification entry and accessibility providers
With notification entry, the malware can learn acquired notification messages coming from 17 focused apps. Here’s a listing of their package deal names:
- Messenger (com.fb.orca)
- Messenger Lite (com.fb.mlite)
- Viber – Protected Chats And Calls (com.viber.voip)
- Skype (com.skype.raider)
- LINE: Calls & Messages (jp.naver.line.android)
- Kik — Messaging & Chat App (kik.android)
- tango-live stream & video chat (com.sgiggle.manufacturing)
- Hangouts (com.google.android.discuss)
- Telegram (org.telegram.messenger)
- WeChat (com.tencent.mm)
- Snapchat (com.snapchat.android)
- Tinder (com.tinder)
- Hike Information & Content material (com.bsb.hike)
- Instagram (com.instagram.android)
- Twitter (com.twitter.android)
- Gmail (com.google.android.gm)
- imo-Worldwide Calls & Chat (com.imo.android.imoim)
If the gadget is already rooted, the malware silently tries to grant permissions to WRITE_SETTINGS, WRITE_SECURE_SETTINGS, REBOOT, MOUNT_FORMAT_FILESYSTEMS, MODIFY_PHONE_STATE, PACKAGE_USAGE_STATS, READ_PRIVILEGED_PHONE_STATE, to allow accessibility providers, and to grant notification entry. The StrongPity backdoor then tries to disable the SecurityLogAgent app (com.samsung.android.securitylogagent), which is an official system app that helps shield the safety of Samsung units, and disables all app notifications coming from the malware itself that could be exhibited to the sufferer sooner or later in case of app errors, crashes, or warnings. The StrongPity backdoor doesn’t itself attempt to root a tool.
The AES algorithm makes use of CBC mode and hardcoded keys to decrypt the downloaded modules:
- AES key – aaaanothingimpossiblebbb
- AES IV – aaaanothingimpos
The cellular marketing campaign operated by the StrongPity APT group impersonated a authentic service to distribute its Android backdoor. StrongPity repackaged the official Telegram app to incorporate a variant of the group’s backdoor code.
That malicious code, its performance, class names, and the certificates used to signal the APK file, are the identical as from the earlier marketing campaign; thus we consider with excessive confidence that this operation belongs to the StrongPity group.
On the time of our analysis, the pattern that was obtainable on the copycat web site was disabled as a result of API_ID_PUBLISHED_FLOOD error, which ends up in malicious code not being triggered and potential victims probably eradicating the non-working app from their units.
Code evaluation reveals that the backdoor is modular and extra binary modules are downloaded from the C&C server. Which means the quantity and sort of modules used might be modified at any time to suit the marketing campaign requests when operated by the StrongPity group.
Primarily based on our evaluation, this seems to be the second model of StrongPity’s Android malware; in comparison with its first model, it additionally misuses accessibility providers and notification entry, shops collected information in an area database, tries to execute su instructions, and for a lot of the information assortment makes use of downloaded modules.
|SHA-1||File identify||ESET detection identify||Description|
|50F79C7DFABECF04522AEB2AC987A800AB5EC6D7||video.apk||Android/StrongPity.A||StrongPity backdoor (authentic Android Telegram app repackaged with malicious code).|
|77D6FE30DAC41E1C90BDFAE3F1CFE7091513FB91||libarm.jar||Android/StrongPity.A||StrongPity cellular module answerable for recording cellphone calls.|
|5A15F516D5C58B23E19D6A39325B4B5C5590BDE0||libmpeg4.jar||Android/StrongPity.A||StrongPity cellular module answerable for gathering textual content of acquired notifications.|
|D44818C061269930E50868445A3418A0780903FE||native.jar||Android/StrongPity.A||StrongPity cellular module answerable for gathering a file listing on the gadget.|
|F1A14070D5D50D5A9952F9A0B4F7CA7FED2199EE||cellphone.jar||Android/StrongPity.A||StrongPity cellular module answerable for misusing accessibility providers to spy on different apps.|
|3BFAD08B9AC63AF5ECF9AA59265ED24D0C76D91E||assets.jar||Android/StrongPity.A||StrongPity cellular module answerable for gathering SMS messages saved on the gadget.|
|5127E75A8FAF1A92D5BD0029AF21548AFA06C1B7||providers.jar||Android/StrongPity.A||StrongPity cellular module answerable for acquiring gadget location.|
|BD40DF3AD0CE0E91ACCA9488A2FE5FEEFE6648A0||systemui.jar||Android/StrongPity.A||StrongPity cellular module answerable for gathering gadget and system data.|
|ED02E16F0D57E4AD2D58F95E88356C17D6396658||timer.jar||Android/StrongPity.A||StrongPity cellular module answerable for gathering a listing of put in apps.|
|F754874A76E3B75A5A5C7FE849DDAE318946973B||toolkit.jar||Android/StrongPity.A||StrongPity cellular module answerable for gathering the contacts listing.|
|E46B76CADBD7261FE750DBB9B0A82F262AFEB298||watchkit.jar||Android/StrongPity.A||StrongPity cellular module answerable for gathering a listing of gadget accounts.|
|D9A71B13D3061BE12EE4905647DDC2F1189F00DE||wearkit.jar||Android/StrongPity.A||StrongPity cellular module answerable for gathering a listing of name logs.|
MITRE ATT&CK methods
This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.
|Persistence||T1398||Boot or Logon Initialization Scripts||The StrongPity backdoor receives the BOOT_COMPLETED broadcast intent to activate at gadget startup.|
|T1624.001||Occasion Triggered Execution: Broadcast Receivers||The StrongPity backdoor performance is triggered if considered one of these occasions happens: BATTERY_LOW, USER_PRESENT, SCREEN_ON, SCREEN_OFF, or CONNECTIVITY_CHANGE.|
|Protection Evasion||T1407||Obtain New Code at Runtime||The StrongPity backdoor can obtain and execute extra binary modules.|
|T1406||Obfuscated Information or Data||The StrongPity backdoor makes use of AES encryption to obfuscate downloaded modules and to cover strings in its APK.|
|T1628.002||Conceal Artifacts: Consumer Evasion||The StrongPity backdoor can disable all app notifications coming from the malware itself to cover its presence.|
|T1629.003||Impair Defenses: Disable or Modify Instruments||If the StrongPity backdoor has root it disables SecurityLogAgent (com.samsung.android.securitylogagent) if current.|
|Discovery||T1420||File and Listing Discovery||The StrongPity backdoor can listing obtainable recordsdata on exterior storage.|
|T1418||Software program Discovery||The StrongPity backdoor can receive a listing of put in purposes.|
|T1422||System Community Configuration Discovery||The StrongPity backdoor can extract IMEI, IMSI, IP tackle, cellphone quantity, and nation.|
|T1426||System Data Discovery||The StrongPity backdoor can extract details about the gadget together with kind of web connection, SIM serial quantity, gadget ID, and customary system data.|
|Assortment||T1417.001||Enter Seize: Keylogging||The StrongPity backdoor logs keystrokes in chat messages and name information from focused apps.|
|T1517||Entry Notifications||The StrongPity backdoor can accumulate notification messages from 17 focused apps.|
|T1532||Archive Collected Knowledge||The StrongPity backdoor encrypts exfiltrated information utilizing AES.|
|T1430||Location Monitoring||The StrongPity backdoor tracks gadget location.|
|T1429||Audio Seize||The StrongPity backdoor can file cellphone calls.|
|T1513||Display Seize||The StrongPity backdoor can file gadget display utilizing the MediaProjectionManager API.|
|T1636.002||Protected Consumer Knowledge: Name Logs||The StrongPity backdoor can extract name logs.|
|T1636.003||Protected Consumer Knowledge: Contact Record||The StrongPity backdoor can extract the gadget’s contact listing.|
|T1636.004||Protected Consumer Knowledge: SMS Messages||The StrongPity backdoor can extract SMS messages.|
|Command and Management||T1437.001||Software Layer Protocol: Net Protocols||The StrongPity backdoor makes use of HTTPS to speak with its C&C server.|
|T1521.001||Encrypted Channel: Symmetric Cryptography||The StrongPity backdoor makes use of AES to encrypt its communication.|
|Exfiltration||T1646||Exfiltration Over C2 Channel||The StrongPity backdoor exfiltrates information utilizing HTTPS.|