In recent years, the threat landscape of mobile devices has grown exponentially, with Advanced Persistent Threat (APT) groups increasingly targeting mobile devices as a means to gain access to sensitive information. One such APT group, which goes by the moniker StrongPity has resurfaced lately.

StrongPity APT is a cyber-espionage group infamous for its targeted attacks against individuals and organizations in the Middle East and North Africa, as well as in Europe and South America. The group has been active since at least 2012, and has been known to use a variety of tools and techniques to gain access to its targets. In this threat research, we will provide an in-depth analysis of the StrongPity APT group campaign, which primarily targets Android users with a trojanized version of the legitimate Telegram app and its methods of operation, as well as the technical details of the malware used in the campaign.

Background:

StrongPity APT group has been active since at least 2012 and is known for its targeted attacks against individuals and organizations in the Middle East and North Africa, as well as in Europe and South America. The group has been known to use a variety of tools and techniques to gain access to its targets, including phishing emails, watering hole attacks, and malware. The group's primary focus is on espionage, but it has also been known to use its access to target's systems for financial gain. The group is believed to have been active since at least 2012 and is known for using a variety of tactics to target individuals and organizations in a number of countries, including Belgium, France, Italy, Spain, and Turkey. The group has been linked to a number of high-profile attacks, including the targeting of a Turkish mobile operator in 2016 and a number of attacks against Belgian and Italian telecommunications companies in 2017.

Campaign Overview:

The latest campaign by the StrongPity APT group is focused on Android users and leverages a fully functional but trojanized version of the legitimate Telegram app, which despite being non-existent, has been repackaged as "the" Shagle app. The campaign is being distributed through a website impersonating Shagle services, which only provides an Android app to download, with no web-based streaming possible. The trojanized app uses the same package name as the legitimate Telegram app, which means that if the official Telegram app is already installed on the device, the backdoored version cannot be installed.

Malware Analysis:

The StrongPity backdoor has various spying features, including the ability to record phone calls and collect SMS messages, call logs, and contact lists. The malware is also capable of exfiltrating data from other apps if the victim grants the app notification access and activates accessibility services. This allows the attackers to gain access to sensitive information from a variety of apps including Viber, Skype, Gmail, Messenger, and Tinder.

Trojanized app requesting dangerous permissions

The malware's 11 dynamically triggered modules are responsible for these various functions and are being documented publicly for the first time.

The StrongPity malware is modular in nature, with additional binary modules being downloaded from the C&C server, which means that the number and type of modules used can be changed at any time to fit the campaign requests. This modularity allows the malware to remain flexible and adaptable to the needs of the campaign.

Modules of 11 getting fetched from C&C Servers

Targeting Shagle Users

Shagle is a legitimate random-video-chat platform that allows strangers to talk via an encrypted communications channel. However, the platform is entirely web-based and does not offer a mobile app. StrongPity has been found using a fake website since 2021 that impersonates the actual Shagle site to trick victims into downloading a malicious Android app.

Comparison between legit as well as fake Shagle app

Once installed, this app enables the hackers to conduct espionage on the targeted victims, including monitoring phone calls, collecting SMS texts, and grabbing contact lists. The fake Shagle website is designed to mimic the original website and is likely being spread through spear-phishing emails, smishing (SMS phishing), or instant messages on online platforms.

Victimology:

The campaign is likely very narrowly targeted, as ESET telemetry still hasn’t identified any victims. The repackaged version of Telegram uses the same package name as the legitimate Telegram app, which means that if the official Telegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed. This might mean that the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed or the campaign focuses on countries where Telegram usage is rare for communication.

If official Telegram app is already installed then trojanized version cannot be successfully installed

Code Analysis

The malicious Android application distributed by StrongPity is an APK file named "video.apk," which is the standard Telegram v7.5.0 (February 2022) app modified to impersonate a Shagle mobile app. ESET researchers were able to attribute the campaign to the StrongPity APT group based on code similarities with past payloads and the fact that the Android app is signed with the same certificate the APT used to sign an app that mimicked the Syrian e-gov Android application in a 2021 campaign.

Upon installation, the malware requests access to the Accessibility Service and then fetches an AES-encrypted file from the attacker's command and control server. This file consists of 11 binary modules extracted to the device and used by the backdoor to perform various malicious functionality. Each module performs an espionage function and is triggered as needed.

Here is a following list of malicious spyware modules:

libarm.jar: records phone calls libmpeg4.jar: collects text of incoming notification messages from 17 apps local.jar: collects file list (file tree) on the device phone.jar: misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date resources.jar: collects SMS messages stored on the device services.jar: obtains device location systemui.jar: collects device and system information timer.jar: collects a list of installed apps toolkit.jar: collects contact list watchkit.jar: collects a list of device accounts wearkit.jar: collects a list of call logs The gathered data is stored in the app's directory, encrypted with AES, and eventually sent back to the attacker's command and control server.

Indicators of Compromise

In order to detect and protect against the StrongPity malware, it is important to be aware of the following Indicators of Compromise (IoCs):

File Hashes: The following file hashes have been identified as associated with the StrongPity malware: 50F79C7DFABECF04522AEB2AC987A800AB5EC6D7 (video.apk) 77D6FE30DAC41E1C90BDFAE3F1CFE7091513FB91 (libarm.jar) 5A15F516D5C58B23E19D6A39325B4B5C5590BDE0 (libmpeg4.jar) D44818C061269930E50868445A3418A0780903FE (local.jar) F1A14070D5D50D5A9952F9A0B4F7CA7FED2199EE (phone.jar)

Mitigation & Prevention:

To protect against the StrongPity campaign, it is important to be cautious when downloading apps from third-party app stores, and to only download apps from official app stores such as Google Play. Additionally, organizations should implement security controls such as firewalls, intrusion detection systems, and anti-virus software to detect and prevent malware infections.

It is also important to be aware of phishing attempts, and to be cautious when clicking on links in emails or text messages. Additionally, organizations should be aware of the signs of a potential APT attack, such as unusual network traffic, and to have incident response plans in place to quickly detect and respond to an attack. Regularly updating software and systems, and providing cybersecurity training to employees can also help to prevent a successful attack.