 |
| Hackers target Android users with a malicious version of Telegram |
Cybersecurity researchers have discovered that hacker group StrongPity APT is launching the fake Shagle app, which is actually a version of a Trojan containing a backdoor to the Telegram instant messaging app on Android.
It should be noted that (Shagle) is a random video chat platform that allows strangers to talk to each other through an encrypted communication channel. The platform is entirely web-based and has no mobile apps.
Researchers found that since 2021, the StrongPity group has used fake websites to impersonate the real Shagle site to trick victims into downloading malicious Android apps.
Once this application is installed, the hackers can spy on the intended victim including: monitoring phone calls, collecting SMS messages and obtaining contact lists.
The StrongPity group (also known as Promethium or APT-C-41) is credited with previous campaigns in which they used the Trojan version of Notepad++ and malicious versions of WinRAR and TrueCrypt to infect targets with malware.
ESET researchers detected more recent APT activity, and attributed this activity to similarities between the recent application code and previous APT payloads.
In addition, the researchers said the malicious Android app used the same certificate the group used to sign an app impersonating an Android app for the Syrian e-government during a campaign in 2021.
The malicious Android app published by (StrongPity) is an (APK) file named (video.apk), App: (Telegram V7.5.0) Modified to impersonate (Shagle) Finder Mobile App Explanation. Malicious apps (APKs) are distributed directly from fake websites (Shagle), not through the Google Play app store.
ESET said the cloned virtual location first appeared online in November 2021, so the APK may have been actively deployed since then. However, the first confirmed sighting of the activity was in July 2022.
One disadvantage of using Telegram as the basis for a fake malicious app is that if the victim's phone already has a legitimate Telegram app installed, the backdoor will not be installed on the device.
The researchers said the API ID used in the capture example is currently restricted due to overuse, which causes the Trojan to stop accepting new user registrations, preventing the backdoor from working, and ESET believes it does, however, it pointed out. The StrongPity group managed to spread malware on the devices of the targeted victims.
Once installed, the malware requests access to accessibility services and then retrieves AES-encrypted files from the attacker's command and control server. The file is then used to perform various malicious functions, including storing and collecting data stored in the application's directory, which is then encrypted and sent back to the attacker's server.
By abusing accessibility services, malware can read notification content from the following apps: Messenger, Viber, Skype, WeChat, Snapchat, Instagram, Twitter, Gmail, and others.
On devices modified with administrator access, malware automatically grants itself permissions to change security settings, write to the file system, perform reboots, and perform other dangerous functions.
The hacking group (StrongPity) has been active since 2012 and often uses backdoors for legitimate software installers. According to an ESET report, the group has been using the same tactics for a decade now.
Android users should be aware of APK files downloaded outside the Google Play Store and their permission requests when installing new apps.