StrongPity APT Uses Trojanized Telegram App to Backdoor its Victims

The recent update

• According to ESET researchers, the fake site is a cloned Shagle website that tricks victims into downloading the malicious APK file (video.apk).
• In reality, the app is a trojanized version of the standard Telegram v7.5.0 (February 2022) for Android with an added modular backdoor. 
• The site has been active since November 2021 and was first discovered in July 2022.

Functionalities 

• This file contains 11 binary modules, dynamically executed by the backdoor to perform various actions on the victim’s device.
• These modules enable the attackers to conduct espionage on the victims, including recording phone calls, tracking device locations, and collecting SMS messages, call logs, contacts lists, and files.
• In addition, granting the malware Accessibility Services permissions enables it to read notification content from various apps such as Gmail, Hangouts, Instagram, Kik, LINE, Messenger, Skype, Snapchat, Tango, Telegram, Tinder, Twitter, Viber, and WeChat.

Worth noting

• The group used the same certificate to sign the Android app, which it used to sign an app mimicking the Syrian e-gov Android application in a 2021 campaign.
• The backdoored version of the app won't be installed if the victim already has the real Telegram app installed on their phones.
• Experts found that the API ID used in the captured samples has been limited due to overuse, which indicates that the group has successfully deployed the malware on targeted victims.
• More notably, the additional binary modules of the backdoor are downloaded from the C2 server. This signifies that the attacker can change the number and type of modules at any time.

Wrapping up