ESET researchers have said that the StrongPity APT group is attacking Android users with a trojanized version of the Telegram app, which is distributed through a fake website that mimics Shagle's video chat service.
The cyber-spy group StrongPity (APT-C-41 and Promethium) has been active since at least 2012 and targets victims in Syria, Turkey, Africa, Asia, Europe and North America.
In the discovered campaign, cybercriminals distribute a backdoor to Android users that is capable of:
- record phone calls;
- track the location of the device;
- view SMS messages, call log, contacts and files;
- collect incoming messages from social networks and email clients (for this, the application requests permission to Accessibility Services);
- download additional components from a remote command and control (C&C) server.
The infected version of Telegram was made available for download on February 25, 2022. On the same day, a malicious domain was registered. At the moment, the Shagle fake website is not active, but there are indications that this activity is highly targeted due to the lack of telemetry data.
Notably, the fake version of Telegram uses the same package name as the real app. Therefore, the installation of the malicious version stops on the device on which the legitimate Telegram application is already loaded.
According to ESET experts, either the attacker first communicates with the potential victim and convinces them to remove Telegram, or the hackers focus on countries where Telegram is rarely used.
Earlier in 2021, StrongPity distributed Android malware through the Syrian Government Electronic Portal. This was the first known use of Android malware by the group.