StrongPity espionage marketing campaign concentrating on Android customers

ESET researchers recognized an energetic marketing campaign that we’ve got attributed to the StrongPity APT group. Lively since November 2021, the marketing campaign has distributed a malicious app by a web site impersonating Shagle – a random-video-chat service that gives encrypted communications between strangers. In contrast to the totally web-based, real Shagle web site that doesn’t supply an official cellular app to entry its providers, the copycat web site solely supplies an Android app to obtain and no web-based streaming is feasible.

The malicious app is, in truth, a totally purposeful however trojanized model of the professional Telegram app, nonetheless, introduced because the non-existent Shagle app. We’ll consult with it because the faux Shagle app, the trojanized Telegram app, or the StrongPity backdoor in the remainder of this blogpost. ESET merchandise detect this risk as Android/StrongPity.A.

This StrongPity backdoor has varied spying options: its 11 dynamically triggered modules are accountable for recording telephone calls, amassing SMS messages, lists of name logs, contact lists, and rather more. These modules are being documented for the very first time. If the sufferer grants the malicious StrongPity app accessibility providers, considered one of its modules may even have entry to incoming notifications and can have the ability to exfiltrate communication from 17 apps equivalent to Viber, Skype, Gmail, Messenger in addition to Tinder.

The marketing campaign is probably going very narrowly focused, since ESET telemetry nonetheless doesn’t establish any victims. Throughout our analysis, the analyzed model of malware accessible from the copycat web site was not energetic anymore and it was not doable to efficiently set up it and set off its backdoor performance as a result of StrongPity hasn’t obtained its personal API ID for its trojanized Telegram app. However which may change at any time ought to the risk actor resolve to replace the malicious app.

Overview

This StrongPity marketing campaign facilities round an Android backdoor delivered from a site containing the phrase “dutch”. This web site impersonates the professional service named Shagle at shagle.com. In Determine 1 you possibly can see the house pages of each web sites. The malicious app is offered immediately from the impersonating web site and has by no means been made accessible from the Google Play retailer. It’s a trojanized model of the professional Telegram app, introduced as if it have been the Shagle app, though there may be presently no official Shagle Android app.

Determine 1. Evaluating the professional web site on the left and the copycat on the fitting

As you possibly can see in Determine 2, the HTML code of the faux web site consists of proof that it was copied from the professional shagle.com web site on November 1^st, 2021, utilizing the automated software HTTrack. The malicious area was registered on the identical day, so the copycat web site and the faux Shagle app could have been accessible for obtain since that date.

Determine 2. Logs generated by the HTTrack software recorded within the faux web site’s HTML code

Victimology

On July 18^th, 2022, considered one of our YARA guidelines at VirusTotal was triggered when a malicious app and a hyperlink to a web site mimicking shagle.com have been uploaded. On the similar time, we have been notified on Twitter about that pattern, though it was mistakenly attributed to Bahamut. ESET telemetry knowledge nonetheless doesn’t establish any victims, suggesting the marketing campaign is prone to have been narrowly focused.

Attribution

The APK distributed by the copycat Shagle web site is signed with the identical code-signing certificates (see Determine 3) as a trojanized Syrian e-gov app found in 2021 by Trend Micro, which was additionally attributed to StrongPity.

Determine 3. This certificates signed the faux Shagle app and the trojanized Syrian e-gov app

Malicious code within the faux Shagle app was seen within the earlier cellular marketing campaign by StrongPity, and implements a easy, however purposeful, backdoor. We now have seen this code getting used solely in campaigns carried out by StrongPity. In Determine 4 you possibly can see a number of the added malicious courses with most of the obfuscated names even being the identical within the code from each campaigns.

Determine 4. Class title comparability of the trojanized Syrian e-gov app (left) and the trojanized Telegram app (proper)

Evaluating the backdoor code from this marketing campaign to that from the trojanized Syrian e-gov app (SHA-1: 5A5910C2C9180382FCF7A939E9909044F0E8918B), it has prolonged performance however with the identical code getting used to supply related capabilities. In Determine 5 and Determine 6 you possibly can evaluate the code from each samples that’s accountable for sending messages between elements. These messages are accountable for triggering the backdoor’s malicious habits. Therefore, we strongly consider that the faux Shagle app is linked to the StrongPity group.

Determine 5. Message dispatcher accountable for triggering malicious performance within the trojanized Syrian e-gov app

Determine 6. Message dispatcher accountable for triggering malicious performance within the faux Shagle app

Technical evaluation

Preliminary entry

As described within the Overview part of this blogpost, the faux Shagle app has been hosted on the Shagle copycat web site, from which victims had to decide on to obtain and set up the app. There was no subterfuge suggesting the app was accessible from Google Play and we have no idea how potential victims have been lured to, or in any other case found, the faux web site.

Toolset

In keeping with the outline on the copycat web site, the app is free and meant for use to satisfy and chat with new folks. Nonetheless, the downloaded app is a maliciously patched Telegram app, particularly Telegram model 7.5.0 (22467), which was accessible for obtain round February 25^th, 2022.

The repackaged model of Telegram makes use of the identical package deal title because the professional Telegram app. Package deal names are speculated to be distinctive IDs for every Android app and should be distinctive on any given machine. Which means that if the official Telegram app is already put in on the machine of a possible sufferer, then this backdoored model can’t be put in; see Determine 7. This would possibly imply considered one of two issues – both the risk actor first communicates with potential victims and pushes them to uninstall Telegram from their units whether it is put in, or the marketing campaign focuses on nations the place Telegram utilization is uncommon for communication.

Determine 7. If the official Telegram app is already put in on the machine, the trojanized model can’t be efficiently put in

StrongPity’s trojanized Telegram app ought to have labored simply because the official model does for communication, utilizing customary APIs which can be nicely documented on the Telegram web site – however the app doesn’t work anymore, so we’re unable to examine.

Throughout our analysis, the present model of malware accessible from the copycat web site was not energetic anymore and it was not doable to efficiently set up it and set off its backdoor performance. After we tried to enroll utilizing our telephone quantity, the repackaged Telegram app couldn’t acquire the API ID from the server, and therefore didn’t work correctly. As seen in Determine 8, the app displayed an API_ID_PUBLISHED_FLOOD error.

Determine 8. Error displayed throughout sign-up utilizing telephone quantity

Based mostly on Telegram’s error documentation, it appears that evidently StrongPity hasn’t obtained its personal API ID. As a substitute, it has used the pattern API ID included in Telegram’s open-source code for preliminary testing functions. Telegram screens API ID utilization and limits the pattern API ID, so its use in a launched app leads to the error seen in Determine 8. Due to the error, it isn’t doable to enroll and use the app or set off its malicious performance anymore. This would possibly imply that StrongPity operators didn’t suppose this by, or maybe there was sufficient time to spy on victims between publishing the app and it being deactivated by Telegram for APP ID overuse. Since no new and dealing model of the app was ever made accessible by the web site, it’d recommend that StrongPity efficiently deployed the malware to its desired targets.

In consequence, the faux Shagle app accessible on the faux web site on the time of our analysis was not energetic anymore. Nonetheless, this would possibly change anytime ought to the risk actors resolve to replace the malicious app.

Elements of, and permissions required by, the StrongPity backdoor code are appended to the Telegram app’s AndroidManifest.xml file. As may be seen in Determine 9, this makes it straightforward to see what permissions are mandatory for the malware.

Determine 9. AndroidManifest.xml with elements and permissions of the StrongPity backdoor highlighted

From the Android manifest we are able to see that malicious courses have been added within the org.telegram.messenger package deal to look as a part of the unique app.

The preliminary malicious performance is triggered by considered one of three broadcast receivers which can be executed after outlined actions – BOOT_COMPLETED, BATTERY_LOW, or USER_PRESENT. After the primary begin, it dynamically registers extra broadcast receivers to observe SCREEN_ON, SCREEN_OFF, and CONNECTIVITY_CHANGE occasions. The faux Shagle app then makes use of IPC (interprocess communication) to speak between its elements to set off varied actions. It contacts the C&C server utilizing HTTPS to ship fundamental details about the compromised machine and receives an AES-encrypted file containing 11 binary modules that will likely be dynamically executed by the mum or dad app; see Determine 10. As seen in Determine 11, these modules are saved within the app’s inner storage, /knowledge/consumer/0/org.telegram.messenger/information/.li/.

Determine 10. StrongPity backdoor receives an encrypted file that incorporates executable modules

Determine 11. Modules obtained from the server saved within the StrongPity backdoor’s inner storage

Every module is accountable for completely different performance. The listing of the module names is saved in native shared preferences within the sharedconfig.xml file; see Determine 12.

Modules are dynamically triggered by the mum or dad app each time mandatory. Every module has its personal module title and is accountable for completely different performance equivalent to:

• libarm.jar (cm module) – information telephone calls
• libmpeg4.jar (nt module) – collects textual content of incoming notification messages from 17 apps
• native.jar (fm/fp module) – collects file listing (file tree) on the machine
• telephone.jar (ms module) – misuses accessibility providers to spy on messaging apps by exfiltrating contact title, chat message, and date
• sources.jar (sm module) – collects SMS messages saved on the machine
• providers.jar (lo module) – obtains machine location
• systemui.jar (sy module) – collects machine and system data
• timer.jar (ia module) – collects a listing of put in apps
• toolkit.jar (cn module) – collects contact listing
• watchkit.jar (ac module) – collects a listing of machine accounts
• wearkit.jar (cl module) – collects a listing of name logs

Determine 12. Record of modules utilized by the StrongPity backdoor

All obtained knowledge is saved within the clear in /knowledge/consumer/0/org.telegram.messenger/databases/outdata, earlier than being encrypted utilizing AES and despatched to the C&C server, as you possibly can see in Determine 13.

Determine 13. Encrypted consumer knowledge exfiltrated to the C&C server

This StrongPity backdoor has prolonged spying options in comparison with the primary StrongPity model found for cellular. It could possibly request the sufferer to activate accessibility providers and acquire notification entry; see Determine 14. If the sufferer allows them, the malware will spy on incoming notifications and misuses accessibility providers to exfiltrate chat communication from different apps.

Determine 14. Malware requests, from the sufferer, notification entry and accessibility providers

With notification entry, the malware can learn obtained notification messages coming from 17 focused apps. Here’s a listing of their package deal names:

• Messenger (com.fb.orca)
• Messenger Lite (com.fb.mlite)
• Viber – Secure Chats And Calls (com.viber.voip)
• Skype (com.skype.raider)
• LINE: Calls & Messages (jp.naver.line.android)
• Kik — Messaging & Chat App (kik.android)
• tango-live stream & video chat (com.sgiggle.manufacturing)
• Hangouts (com.google.android.speak)
• Telegram (org.telegram.messenger)
• WeChat (com.tencent.mm)
• Snapchat (com.snapchat.android)
• Tinder (com.tinder)
• Hike Information & Content material (com.bsb.hike)
• Instagram (com.instagram.android)
• Twitter (com.twitter.android)
• Gmail (com.google.android.gm)
• imo-Worldwide Calls & Chat (com.imo.android.imoim)

If the machine is already rooted, the malware silently tries to grant permissions to WRITE_SETTINGS, WRITE_SECURE_SETTINGS, REBOOT, MOUNT_FORMAT_FILESYSTEMS, MODIFY_PHONE_STATE, PACKAGE_USAGE_STATS, READ_PRIVILEGED_PHONE_STATE, to allow accessibility providers, and to grant notification entry. The StrongPity backdoor then tries to disable the SecurityLogAgent app (com.samsung.android.securitylogagent), which is an official system app that helps defend the safety of Samsung units, and disables all app notifications coming from the malware itself that is perhaps exhibited to the sufferer sooner or later in case of app errors, crashes, or warnings. The StrongPity backdoor doesn’t itself attempt to root a tool.

The AES algorithm makes use of CBC mode and hardcoded keys to decrypt the downloaded modules:

• AES key – aaaanothingimpossiblebbb
• AES IV – aaaanothingimpos

Conclusion

The cellular marketing campaign operated by the StrongPity APT group impersonated a professional service to distribute its Android backdoor. StrongPity repackaged the official Telegram app to incorporate a variant of the group’s backdoor code.

That malicious code, its performance, class names, and the certificates used to signal the APK file, are the identical as from the earlier marketing campaign; thus we consider with excessive confidence that this operation belongs to the StrongPity group.

On the time of our analysis, the pattern that was accessible on the copycat web site was disabled because of the API_ID_PUBLISHED_FLOOD error, which leads to malicious code not being triggered and potential victims presumably eradicating the non-working app from their units.

Code evaluation reveals that the backdoor is modular and extra binary modules are downloaded from the C&C server. Which means that the quantity and kind of modules used may be modified at any time to suit the marketing campaign requests when operated by the StrongPity group.

Based mostly on our evaluation, this seems to be the second model of StrongPity’s Android malware; in comparison with its first model, it additionally misuses accessibility providers and notification entry, shops collected knowledge in a neighborhood database, tries to execute su instructions, and for a lot of the knowledge assortment makes use of downloaded modules.

IoCs

Recordsdata

Community

MITRE ATT&CK strategies

This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.