ESET researchers identified an active StrongPity campaign distributing a trojanized version of the Android Telegram app, presented as the Shagle app – a video-chat service that has no app version
ESET researchers identified an active campaign that we have attributed to the StrongPity APT group. Active since November 2021, the campaign has distributed a malicious app through a website impersonating Shagle – a random-video-chat service that provides encrypted communications between strangers. Unlike the entirely web-based, genuine Shagle site that doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download and no web-based streaming is possible.
The malicious app is, in fact, a fully functional but trojanized version of the legitimate Telegram app, however, presented as the non-existent Shagle app. We will refer to it as the fake Shagle app, the trojanized Telegram app, or the StrongPity backdoor in the rest of this blogpost. ESET products detect this threat as Android/StrongPity.A.
This StrongPity backdoor has various spying features: its 11 dynamically triggered modules are responsible for recording phone calls, collecting SMS messages, lists of call logs, contact lists, and much more. These modules are being documented for the very first time. If the victim grants the malicious StrongPity app accessibility services, one of its modules will also have access to incoming notifications and will be able to exfiltrate communication from 17 apps such as Viber, Skype, Gmail, Messenger as well as Tinder.
The campaign is likely very narrowly targeted, since ESET telemetry still doesn’t identify any victims. During our research, the analyzed version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install it and trigger its backdoor functionality because StrongPity hasn’t obtained its own API ID for its trojanized Telegram app. But that might change at any time should the threat actor decide to update the malicious app.
This StrongPity campaign centers around an Android backdoor delivered from a domain containing the word “dutch”. This website impersonates the legitimate service named Shagle at shagle.com. In Figure 1 you can see the home pages of both websites. The malicious app is provided directly from the impersonating website and has never been made available from the Google Play store. It is a trojanized version of the legitimate Telegram app, presented as if it were the Shagle app, although there is currently no official Shagle Android app.
As you can see in Figure 2, the HTML code of the fake site includes evidence that it was copied from the legitimate shagle.com site on November 1st, 2021, using the automated tool HTTrack. The malicious domain was registered on the same day, so the copycat site and the fake Shagle app may have been available for download since that date.
On July 18th, 2022, one of our YARA rules at VirusTotal was triggered when a malicious app and a link to a website mimicking shagle.com were uploaded. At the same time, we were notified on Twitter about that sample, although it was mistakenly attributed to Bahamut. ESET telemetry data still does not identify any victims, suggesting the campaign is likely to have been narrowly targeted.
The APK distributed by the copycat Shagle website is signed with the same code-signing certificate (see Figure 3) as a trojanized Syrian e-gov app discovered in 2021 by Trend Micro, which was also attributed to StrongPity.
Malicious code in the fake Shagle app was seen in the previous mobile campaign by StrongPity, and implements a simple, but functional, backdoor. We have seen this code being used only in campaigns conducted by StrongPity. In Figure 4 you can see some of the added malicious classes with many of the obfuscated names even being the same in the code from both campaigns.
Comparing the backdoor code from this campaign to that from the trojanized Syrian e-gov app (SHA-1: 5A5910C2C9180382FCF7A939E9909044F0E8918B), it has extended functionality but with the same code being used to provide similar functions. In Figure 5 and Figure 6 you can compare the code from both samples that is responsible for sending messages between components. These messages are responsible for triggering the backdoor’s malicious behavior. Hence, we strongly believe that the fake Shagle app is linked to the StrongPity group.
As described in the Overview section of this blogpost, the fake Shagle app has been hosted at the Shagle copycat website, from which victims had to choose to download and install the app. There was no subterfuge suggesting the app was available from Google Play and we do not know how potential victims were lured to, or otherwise discovered, the fake website.
According to the description on the copycat website, the app is free and intended to be used to meet and chat with new people. However, the downloaded app is a maliciously patched Telegram app, specifically Telegram version 7.5.0 (22467), which was available for download around February 25th, 2022.
The repackaged version of Telegram uses the same package name as the legitimate Telegram app. Package names are supposed to be unique IDs for each Android app and must be unique on any given device. This means that if the official Telegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed; see Figure 7. This might mean one of two things – either the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed, or the campaign focuses on countries where Telegram usage is rare for communication.
StrongPity’s trojanized Telegram app should have worked just as the official version does for communication, using standard APIs that are well documented on the Telegram website – but the app doesn’t work anymore, so we’re unable to check.
During our research, the current version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install it and trigger its backdoor functionality. When we tried to sign up using our phone number, the repackaged Telegram app couldn’t obtain the API ID from the server, and hence did not work properly. As seen in Figure 8, the app displayed an API_ID_PUBLISHED_FLOOD error.
Based on Telegram’s error documentation, it seems that StrongPity hasn’t obtained its own API ID. Instead, it has used the sample API ID included in Telegram’s open-source code for initial testing purposes. Telegram monitors API ID usage and limits the sample API ID, so its use in a released app results in the error seen in Figure 8. Because of the error, it is not possible to sign up and use the app or trigger its malicious functionality anymore. This might mean that StrongPity operators didn’t think this through, or perhaps there was enough time to spy on victims between publishing the app and it being deactivated by Telegram for APP ID overuse. Since no new and working version of the app was ever made available through the website, it might suggest that StrongPity successfully deployed the malware to its desired targets.
As a result, the fake Shagle app available on the fake website at the time of our research was not active anymore. However, this might change anytime should the threat actors decide to update the malicious app.
Components of, and permissions required by, the StrongPity backdoor code are appended to the Telegram app’s AndroidManifest.xml file. As can be seen in Figure 9, this makes it easy to see what permissions are necessary for the malware.
From the Android manifest we can see that malicious classes were added in the org.telegram.messenger package to appear as part of the original app.
The initial malicious functionality is triggered by one of three broadcast receivers that are executed after defined actions – BOOT_COMPLETED, BATTERY_LOW, or USER_PRESENT. After the first start, it dynamically registers additional broadcast receivers to monitor SCREEN_ON, SCREEN_OFF, and CONNECTIVITY_CHANGE events. The fake Shagle app then uses IPC (interprocess communication) to communicate between its components to trigger various actions. It contacts the C&C server using HTTPS to send basic information about the compromised device and receives an AES-encrypted file containing 11 binary modules that will be dynamically executed by the parent app; see Figure 10. As seen in Figure 11, these modules are stored in the app’s internal storage, /data/user/0/org.telegram.messenger/files/.li/.
Each module is responsible for different functionality. The list of the module names is stored in local shared preferences in the sharedconfig.xml file; see Figure 12.
Modules are dynamically triggered by the parent app whenever necessary. Each module has its own module name and is responsible for different functionality such as:
libarm.jar (cm module) – records phone calls
libmpeg4.jar (nt module) – collects text of incoming notification messages from 17 apps
local.jar (fm/fp module) – collects file list (file tree) on the device
phone.jar (ms module) – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date
resources.jar (sm module) – collects SMS messages stored on the device
services.jar (lo module) – obtains device location
systemui.jar (sy module) – collects device and system information
timer.jar (ia module) – collects a list of installed apps
toolkit.jar (cn module) – collects contact list
watchkit.jar (ac module) – collects a list of device accounts
wearkit.jar (cl module) – collects a list of call logs
All obtained data is stored in the clear in /data/user/0/org.telegram.messenger/databases/outdata, before being encrypted using AES and sent to the C&C server, as you can see in Figure 13.
This StrongPity backdoor has extended spying features compared to the first StrongPity version discovered for mobile. It can request the victim to activate accessibility services and gain notification access; see Figure 14. If the victim enables them, the malware will spy on incoming notifications and misuses accessibility services to exfiltrate chat communication from other apps.
Figure 14. Malware requests, from the victim, notification access and accessibility services
With notification access, the malware can read received notification messages coming from 17 targeted apps. Here is a list of their package names:
Messenger Lite (com.facebook.mlite)
Viber – Safe Chats And Calls (com.viber.voip)
LINE: Calls & Messages (jp.naver.line.android)
Kik — Messaging & Chat App (kik.android)
tango-live stream & video chat (com.sgiggle.production)
Hike News & Content (com.bsb.hike)
imo-International Calls & Chat (com.imo.android.imoim)
If the device is already rooted, the malware silently tries to grant permissions to WRITE_SETTINGS, WRITE_SECURE_SETTINGS, REBOOT, MOUNT_FORMAT_FILESYSTEMS, MODIFY_PHONE_STATE, PACKAGE_USAGE_STATS, READ_PRIVILEGED_PHONE_STATE, to enable accessibility services, and to grant notification access. The StrongPity backdoor then tries to disable the SecurityLogAgent app (com.samsung.android.securitylogagent), which is an official system app that helps protect the security of Samsung devices, and disables all app notifications coming from the malware itself that might be displayed to the victim in the future in case of app errors, crashes, or warnings. The StrongPity backdoor does not itself try to root a device.
The AES algorithm uses CBC mode and hardcoded keys to decrypt the downloaded modules:
AES key – aaaanothingimpossiblebbb
AES IV – aaaanothingimpos
The mobile campaign operated by the StrongPity APT group impersonated a legitimate service to distribute its Android backdoor. StrongPity repackaged the official Telegram app to include a variant of the group’s backdoor code.
That malicious code, its functionality, class names, and the certificate used to sign the APK file, are the same as from the previous campaign; thus we believe with high confidence that this operation belongs to the StrongPity group.
At the time of our research, the sample that was available on the copycat website was disabled due to the API_ID_PUBLISHED_FLOOD error, which results in malicious code not being triggered and potential victims possibly removing the non-working app from their devices.
Code analysis reveals that the backdoor is modular and additional binary modules are downloaded from the C&C server. This means that the number and type of modules used can be changed at any time to fit the campaign requests when operated by the StrongPity group.
Based on our analysis, this appears to be the second version of StrongPity’s Android malware; compared to its first version, it also misuses accessibility services and notification access, stores collected data in a local database, tries to execute su commands, and for most of the data collection uses downloaded modules.
SHA-1File nameESET detection nameDescription
50F79C7DFABECF04522AEB2AC987A800AB5EC6D7video.apkAndroid/StrongPity.AStrongPity backdoor (legitimate Android Telegram app repackaged with malicious code).
77D6FE30DAC41E1C90BDFAE3F1CFE7091513FB91libarm.jarAndroid/StrongPity.AStrongPity mobile module responsible for recording phone calls.
5A15F516D5C58B23E19D6A39325B4B5C5590BDE0libmpeg4.jarAndroid/StrongPity.AStrongPity mobile module responsible for collecting text of received notifications.
D44818C061269930E50868445A3418A0780903FElocal.jarAndroid/StrongPity.AStrongPity mobile module responsible for collecting a file list on the device.
F1A14070D5D50D5A9952F9A0B4F7CA7FED2199EEphone.jarAndroid/StrongPity.AStrongPity mobile module responsible for misusing accessibility services to spy on other apps.
3BFAD08B9AC63AF5ECF9AA59265ED24D0C76D91Eresources.jarAndroid/StrongPity.AStrongPity mobile module responsible for collecting SMS messages stored on the device.
5127E75A8FAF1A92D5BD0029AF21548AFA06C1B7services.jarAndroid/StrongPity.AStrongPity mobile module responsible for obtaining device location.
BD40DF3AD0CE0E91ACCA9488A2FE5FEEFE6648A0systemui.jarAndroid/StrongPity.AStrongPity mobile module responsible for collecting device and system information.
ED02E16F0D57E4AD2D58F95E88356C17D6396658timer.jarAndroid/StrongPity.AStrongPity mobile module responsible for collecting a list of installed apps.
F754874A76E3B75A5A5C7FE849DDAE318946973Btoolkit.jarAndroid/StrongPity.AStrongPity mobile module responsible for collecting the contacts list.
E46B76CADBD7261FE750DBB9B0A82F262AFEB298watchkit.jarAndroid/StrongPity.AStrongPity mobile module responsible for collecting a list of device accounts.
D9A71B13D3061BE12EE4905647DDC2F1189F00DEwearkit.jarAndroid/StrongPity.AStrongPity mobile module responsible for collecting a list of call logs.
141.255.161[.]185NameCheap2022-07-28 intagrefedcircuitchip[.]com C&C
185.12.46[.]138Porkbun2020-04-21 networksoftwaresegment[.]com C&C
MITRE ATT&CK techniques
This table was built using version 12 of the MITRE ATT&CK framework.
PersistenceT1398Boot or Logon Initialization ScriptsThe StrongPity backdoor receives the BOOT_COMPLETED broadcast intent to activate at device startup.
T1624.001Event Triggered Execution: Broadcast ReceiversThe StrongPity backdoor functionality is triggered if one of these events occurs: BATTERY_LOW, USER_PRESENT, SCREEN_ON, SCREEN_OFF, or CONNECTIVITY_CHANGE.
Defense EvasionT1407Download New Code at RuntimeThe StrongPity backdoor can download and execute additional binary modules.
T1406Obfuscated Files or InformationThe StrongPity backdoor uses AES encryption to obfuscate downloaded modules and to hide strings in its APK.
T1628.002Hide Artifacts: User EvasionThe StrongPity backdoor can disable all app notifications coming from the malware itself to hide its presence.
T1629.003Impair Defenses: Disable or Modify ToolsIf the StrongPity backdoor has root it disables SecurityLogAgent (com.samsung.android.securitylogagent) if present.
DiscoveryT1420File and Directory DiscoveryThe StrongPity backdoor can list available files on external storage.
T1418Software DiscoveryThe StrongPity backdoor can obtain a list of installed applications.
T1422System Network Configuration DiscoveryThe StrongPity backdoor can extract IMEI, IMSI, IP address, phone number, and country.
T1426System Information DiscoveryThe StrongPity backdoor can extract information about the device including type of internet connection, SIM serial number, device ID, and common system information.
CollectionT1417.001Input Capture: KeyloggingThe StrongPity backdoor logs keystrokes in chat messages and call data from targeted apps.
T1517Access NotificationsThe StrongPity backdoor can collect notification messages from 17 targeted apps.
T1532Archive Collected DataThe StrongPity backdoor encrypts exfiltrated data using AES.
T1430Location TrackingThe StrongPity backdoor tracks device location.
T1429Audio CaptureThe StrongPity backdoor can record phone calls.
T1513Screen CaptureThe StrongPity backdoor can record device screen using the MediaProjectionManager API.
T1636.002Protected User Data: Call LogsThe StrongPity backdoor can extract call logs.
T1636.003Protected User Data: Contact ListThe StrongPity backdoor can extract the device’s contact list.
T1636.004Protected User Data: SMS MessagesThe StrongPity backdoor can extract SMS messages.
Command and ControlT1437.001Application Layer Protocol: Web ProtocolsThe StrongPity backdoor uses HTTPS to communicate with its C&C server.
T1521.001Encrypted Channel: Symmetric CryptographyThe StrongPity backdoor uses AES to encrypt its communication.
ExfiltrationT1646Exfiltration Over C2 ChannelThe StrongPity backdoor exfiltrates data using HTTPS.