ESET researchers identified an active campaign that we have attributed to the StrongPity APT group. Active since November 2021, the campaign has distributed a malicious app through a website impersonating Shagle – a random-video-chat service that provides encrypted communications between strangers. Unlike the entirely web-based, genuine Shagle site that doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download and no web-based streaming is possible.
- Only one other Android campaign has been previously attributed to StrongPity.
- This is the first time that the described modules and their functionality have been documented publicly.
- A copycat website, mimicking the Shagle service, is used to distribute StrongPity’s mobile backdoor app.
- The app is a modified version of the open-source Telegram app, repackaged with StrongPity backdoor code.
- Based on similarities with previous StrongPity backdoor code and the app being signed with a certificate from an earlier StrongPity campaign, we attribute this threat to the StrongPity APT group.
- StrongPity’s backdoor is modular, where all necessary binary modules are encrypted using AES and downloaded from its C&C server, and has various spying features.
The malicious app is, in fact, a fully functional but trojanized version of the legitimate Telegram app, however, presented as the non-existent Shagle app. We will refer to it as the fake Shagle app, the trojanized Telegram app, or the StrongPity backdoor in the rest of this blogpost. ESET products detect this threat as Android/StrongPity.A.
This StrongPity backdoor has various spying features: its 11 dynamically triggered modules are responsible for recording phone calls, collecting SMS messages, lists of call logs, contact lists, and much more. These modules are being documented for the very first time. If the victim grants the malicious StrongPity app accessibility services, one of its modules will also have access to incoming notifications and will be able to exfiltrate communication from 17 apps such as Viber, Skype, Gmail, Messenger as well as Tinder.
The campaign is likely very narrowly targeted, since ESET telemetry still doesn’t identify any victims. During our research, the analyzed version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install it and trigger its backdoor functionality because StrongPity hasn’t obtained its own API ID for its trojanized Telegram app. But that might change at any time should the threat actor decide to update the malicious app.
Overview
This StrongPity campaign centers around an Android backdoor delivered from a domain containing the word “dutch”. This website impersonates the legitimate service named Shagle at shagle.com. In Figure 1 you can see the home pages of both websites. The malicious app is provided directly from the impersonating website and has never been made available from the Google Play store. It is a trojanized version of the legitimate Telegram app, presented as if it were the Shagle app, although there is currently no official Shagle Android app.
Figure 1. Comparing the legitimate website on the left and the copycat on the right
As you can see in Figure 2, the HTML code of the fake site includes evidence that it was copied from the legitimate shagle.com site on November 1st, 2021, using the automated tool HTTrack. The malicious domain was registered on the same day, so the copycat site and the fake Shagle app may have been available for download since that date.
Figure 2. Logs generated by the HTTrack tool recorded in the fake website’s HTML code
Victimology
On July 18th, 2022, one of our YARA rules at VirusTotal was triggered when a malicious app and a link to a website mimicking shagle.com were uploaded. At the same time, we were notified on Twitter about that sample, although it was mistakenly attributed to Bahamut. ESET telemetry data still does not identify any victims, suggesting the campaign is likely to have been narrowly targeted.
Attribution
The APK distributed by the copycat Shagle website is signed with the same code-signing certificate (see Figure 3) as a trojanized Syrian e-gov app discovered in 2021 by Trend Micro, which was also attributed to StrongPity.
Figure 3. This certificate signed the fake Shagle app and the trojanized Syrian e-gov app
Malicious code in the fake Shagle app was seen in the previous mobile campaign by StrongPity, and implements a simple, but functional, backdoor. We have seen this code being used only in campaigns conducted by StrongPity. In Figure 4 you can see some of the added malicious classes with many of the obfuscated names even being the same in the code from both campaigns.
Figure 4. Class name comparison of the trojanized Syrian e-gov app (left) and the trojanized Telegram app (right)
Comparing the backdoor code from this campaign to that from the trojanized Syrian e-gov app (SHA-1: 5A5910C2C9180382FCF7A939E9909044F0E8918B), it has extended functionality but with the same code being used to provide similar functions. In Figure 5 and Figure 6 you can compare the code from both samples that is responsible for sending messages between components. These messages are responsible for triggering the backdoor’s malicious behavior. Hence, we strongly believe that the fake Shagle app is linked to the StrongPity group.
Figure 5. Message dispatcher responsible for triggering malicious functionality in the trojanized Syrian e-gov app
Figure 6. Message dispatcher responsible for triggering malicious functionality in the fake Shagle app
Technical analysis
Initial access
As described in the Overview section of this blogpost, the fake Shagle app has been hosted at the Shagle copycat website, from which victims had to choose to download and install the app. There was no subterfuge suggesting the app was available from Google Play and we do not know how potential victims were lured to, or otherwise discovered, the fake website.
Toolset
According to the description on the copycat website, the app is free and intended to be used to meet and chat with new people. However, the downloaded app is a maliciously patched Telegram app, specifically Telegram version 7.5.0 (22467), which was available for download around February 25th, 2022.
The repackaged version of Telegram uses the same package name as the legitimate Telegram app. Package names are supposed to be unique IDs for each Android app and must be unique on any given device. This means that if the official Telegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed; see Figure 7. This might mean one of two things – either the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed, or the campaign focuses on countries where Telegram usage is rare for communication.
Figure 7. If the official Telegram app is already installed on the device, the trojanized version cannot be successfully installed
StrongPity’s trojanized Telegram app should have worked just as the official version does for communication, using standard APIs that are well documented on the Telegram website – but the app doesn’t work anymore, so we’re unable to check.
During our research, the current version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install it and trigger its backdoor functionality. When we tried to sign up using our phone number, the repackaged Telegram app couldn’t obtain the API ID from the server, and hence did not work properly. As seen in Figure 8, the app displayed an API_ID_PUBLISHED_FLOOD error.
Figure 8. Error displayed during sign-up using phone number
Based on Telegram’s error documentation, it seems that StrongPity hasn’t obtained its own API ID. Instead, it has used the sample API ID included in Telegram’s open-source code for initial testing purposes. Telegram monitors API ID usage and limits the sample API ID, so its use in a released app results in the error seen in Figure 8. Because of the error, it is not possible to sign up and use the app or trigger its malicious functionality anymore. This might mean that StrongPity operators didn’t think this through, or perhaps there was enough time to spy on victims between publishing the app and it being deactivated by Telegram for APP ID overuse. Since no new and working version of the app was ever made available through the website, it might suggest that StrongPity successfully deployed the malware to its desired targets.
As a result, the fake Shagle app available on the fake website at the time of our research was not active anymore. However, this might change anytime should the threat actors decide to update the malicious app.
Components of, and permissions required by, the StrongPity backdoor code are appended to the Telegram app’s AndroidManifest.xml file. As can be seen in Figure 9, this makes it easy to see what permissions are necessary for the malware.
Figure 9. AndroidManifest.xml with components and permissions of the StrongPity backdoor highlighted
From the Android manifest we can see that malicious classes were added in the org.telegram.messengerpackage to appear as part of the original app.
The initial malicious functionality is triggered by one of three broadcast receivers that are executed after defined actions – BOOT_COMPLETED, BATTERY_LOW, or USER_PRESENT. After the first start, it dynamically registers additional broadcast receivers to monitor SCREEN_ON, SCREEN_OFF, and CONNECTIVITY_CHANGE events. The fake Shagle app then uses IPC (interprocess communication) to communicate between its components to trigger various actions. It contacts the C&C server using HTTPS to send basic information about the compromised device and receives an AES-encrypted file containing 11 binary modules that will be dynamically executed by the parent app; see Figure 10. As seen in Figure 11, these modules are stored in the app’s internal storage, /data/user/0/org.telegram.messenger/files/.li/.
Figure 10. StrongPity backdoor receives an encrypted file that contains executable modules
Figure 11. Modules received from the server stored in the StrongPity backdoor’s internal storage
Each module is responsible for different functionality. The list of the module names is stored in local shared preferences in the sharedconfig.xml file; see Figure 12.
Modules are dynamically triggered by the parent app whenever necessary. Each module has its own module name and is responsible for different functionality such as:
- libarm.jar (cm module) – records phone calls
- libmpeg4.jar (nt module) – collects text of incoming notification messages from 17 apps
- local.jar (fm/fp module) – collects file list (file tree) on the device
- phone.jar (ms module) – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date
- resources.jar (sm module) – collects SMS messages stored on the device
- services.jar (lo module) – obtains device location
- systemui.jar (sy module) – collects device and system information
- timer.jar (ia module) – collects a list of installed apps
- toolkit.jar (cn module) – collects contact list
- watchkit.jar (ac module) – collects a list of device accounts
- wearkit.jar (cl module) – collects a list of call logs
Figure 12. List of modules used by the StrongPity backdoor
All obtained data is stored in the clear in /data/user/0/org.telegram.messenger/databases/outdata, before being encrypted using AES and sent to the C&C server, as you can see in Figure 13.
Figure 13. Encrypted user data exfiltrated to the C&C server
This StrongPity backdoor has extended spying features compared to the first StrongPity version discovered for mobile. It can request the victim to activate accessibility services and gain notification access; see Figure 14. If the victim enables them, the malware will spy on incoming notifications and misuses accessibility services to exfiltrate chat communication from other apps.
Figure 14. Malware requests, from the victim, notification access and accessibility services
With notification access, the malware can read received notification messages coming from 17 targeted apps. Here is a list of their package names:
- Messenger (com.facebook.orca)
- Messenger Lite (com.facebook.mlite)
- Viber – Safe Chats And Calls (com.viber.voip)
- Skype (com.skype.raider)
- LINE: Calls & Messages (jp.naver.line.android)
- Kik — Messaging & Chat App (kik.android)
- tango-live stream & video chat (com.sgiggle.production)
- Hangouts (com.google.android.talk)
- Telegram (org.telegram.messenger)
- WeChat (com.tencent.mm)
- Snapchat (com.snapchat.android)
- Tinder (com.tinder)
- Hike News & Content (com.bsb.hike)
- Instagram (com.instagram.android)
- Twitter (com.twitter.android)
- Gmail (com.google.android.gm)
- imo-International Calls & Chat (com.imo.android.imoim)
If the device is already rooted, the malware silently tries to grant permissions to WRITE_SETTINGS, WRITE_SECURE_SETTINGS, REBOOT, MOUNT_FORMAT_FILESYSTEMS, MODIFY_PHONE_STATE, PACKAGE_USAGE_STATS, READ_PRIVILEGED_PHONE_STATE, to enable accessibility services, and to grant notification access. The StrongPity backdoor then tries to disable the SecurityLogAgent app (com.samsung.android.securitylogagent), which is an official system app that helps protect the security of Samsung devices, and disables all app notifications coming from the malware itself that might be displayed to the victim in the future in case of app errors, crashes, or warnings. The StrongPity backdoor does not itself try to root a device.
The AES algorithm uses CBC mode and hardcoded keys to decrypt the downloaded modules:
- AES key – aaaanothingimpossiblebbb
- AES IV – aaaanothingimpos
Conclusion
The mobile campaign operated by the StrongPity APT group impersonated a legitimate service to distribute its Android backdoor. StrongPity repackaged the official Telegram app to include a variant of the group’s backdoor code.
That malicious code, its functionality, class names, and the certificate used to sign the APK file, are the same as from the previous campaign; thus we believe with high confidence that this operation belongs to the StrongPity group.
At the time of our research, the sample that was available on the copycat website was disabled due to the API_ID_PUBLISHED_FLOOD error, which results in malicious code not being triggered and potential victims possibly removing the non-working app from their devices.
Code analysis reveals that the backdoor is modular and additional binary modules are downloaded from the C&C server. This means that the number and type of modules used can be changed at any time to fit the campaign requests when operated by the StrongPity group.
Based on our analysis, this appears to be the second version of StrongPity’s Android malware; compared to its first version, it also misuses accessibility services and notification access, stores collected data in a local database, tries to execute su commands, and for most of the data collection uses downloaded modules.
IoCs
Files
| SHA-1 | File name | ESET detection name | Description |
|---|---|---|---|
| 50F79C7DFABECF04522AEB2AC987A800AB5EC6D7 | video.apk | Android/StrongPity.A | StrongPity backdoor (legitimate Android Telegram app repackaged with malicious code). |
| 77D6FE30DAC41E1C90BDFAE3F1CFE7091513FB91 | libarm.jar | Android/StrongPity.A | StrongPity mobile module responsible for recording phone calls. |
| 5A15F516D5C58B23E19D6A39325B4B5C5590BDE0 | libmpeg4.jar | Android/StrongPity.A | StrongPity mobile module responsible for collecting text of received notifications. |
| D44818C061269930E50868445A3418A0780903FE | local.jar | Android/StrongPity.A | StrongPity mobile module responsible for collecting a file list on the device. |
| F1A14070D5D50D5A9952F9A0B4F7CA7FED2199EE | phone.jar | Android/StrongPity.A | StrongPity mobile module responsible for misusing accessibility services to spy on other apps. |
| 3BFAD08B9AC63AF5ECF9AA59265ED24D0C76D91E | resources.jar | Android/StrongPity.A | StrongPity mobile module responsible for collecting SMS messages stored on the device. |
| 5127E75A8FAF1A92D5BD0029AF21548AFA06C1B7 | services.jar | Android/StrongPity.A | StrongPity mobile module responsible for obtaining device location. |
| BD40DF3AD0CE0E91ACCA9488A2FE5FEEFE6648A0 | systemui.jar | Android/StrongPity.A | StrongPity mobile module responsible for collecting device and system information. |
| ED02E16F0D57E4AD2D58F95E88356C17D6396658 | timer.jar | Android/StrongPity.A | StrongPity mobile module responsible for collecting a list of installed apps. |
| F754874A76E3B75A5A5C7FE849DDAE318946973B | toolkit.jar | Android/StrongPity.A | StrongPity mobile module responsible for collecting the contacts list. |
| E46B76CADBD7261FE750DBB9B0A82F262AFEB298 | watchkit.jar | Android/StrongPity.A | StrongPity mobile module responsible for collecting a list of device accounts. |
| D9A71B13D3061BE12EE4905647DDC2F1189F00DE | wearkit.jar | Android/StrongPity.A | StrongPity mobile module responsible for collecting a list of call logs. |
Network
| IP | Provider | First seen | Details |
|---|---|---|---|
| 141.255.161[.]185 | NameCheap | 2022-07-28 | intagrefedcircuitchip[.]com C&C |
| 185.12.46[.]138 | Porkbun | 2020-04-21 | networksoftwaresegment[.]com C&C |
MITRE ATT&CK techniques
This table was built using version 12 of the MITRE ATT&CK framework.
| Tactic | ID | Name | Description |
|---|---|---|---|
| Persistence | T1398 | Boot or Logon Initialization Scripts | The StrongPity backdoor receives the BOOT_COMPLETED broadcast intent to activate at device startup. |
| T1624.001 | Event Triggered Execution: Broadcast Receivers | The StrongPity backdoor functionality is triggered if one of these events occurs: BATTERY_LOW, USER_PRESENT, SCREEN_ON, SCREEN_OFF, or CONNECTIVITY_CHANGE. | |
| Defense Evasion | T1407 | Download New Code at Runtime | The StrongPity backdoor can download and execute additional binary modules. |
| T1406 | Obfuscated Files or Information | The StrongPity backdoor uses AES encryption to obfuscate downloaded modules and to hide strings in its APK. | |
| T1628.002 | Hide Artifacts: User Evasion | The StrongPity backdoor can disable all app notifications coming from the malware itself to hide its presence. | |
| T1629.003 | Impair Defenses: Disable or Modify Tools | If the StrongPity backdoor has root it disables SecurityLogAgent (com.samsung.android.securitylogagent) if present. | |
| Discovery | T1420 | File and Directory Discovery | The StrongPity backdoor can list available files on external storage. |
| T1418 | Software Discovery | The StrongPity backdoor can obtain a list of installed applications. | |
| T1422 | System Network Configuration Discovery | The StrongPity backdoor can extract IMEI, IMSI, IP address, phone number, and country. | |
| T1426 | System Information Discovery | The StrongPity backdoor can extract information about the device including type of internet connection, SIM serial number, device ID, and common system information. | |
| Collection | T1417.001 | Input Capture: Keylogging | The StrongPity backdoor logs keystrokes in chat messages and call data from targeted apps. |
| T1517 | Access Notifications | The StrongPity backdoor can collect notification messages from 17 targeted apps. | |
| T1532 | Archive Collected Data | The StrongPity backdoor encrypts exfiltrated data using AES. | |
| T1430 | Location Tracking | The StrongPity backdoor tracks device location. | |
| T1429 | Audio Capture | The StrongPity backdoor can record phone calls. | |
| T1513 | Screen Capture | The StrongPity backdoor can record device screen using the MediaProjectionManager API. | |
| T1636.002 | Protected User Data: Call Logs | The StrongPity backdoor can extract call logs. | |
| T1636.003 | Protected User Data: Contact List | The StrongPity backdoor can extract the device’s contact list. | |
| T1636.004 | Protected User Data: SMS Messages | The StrongPity backdoor can extract SMS messages. | |
| Command and Control | T1437.001 | Application Layer Protocol: Web Protocols | The StrongPity backdoor uses HTTPS to communicate with its C&C server. |
| T1521.001 | Encrypted Channel: Symmetric Cryptography | The StrongPity backdoor uses AES to encrypt its communication. | |
| Exfiltration | T1646 | Exfiltration Over C2 Channel | The StrongPity backdoor exfiltrates data using HTTPS. |
原文始发于Lukas Stefanko:StrongPity espionage campaign targeting Android users
转载请注明:StrongPity espionage campaign targeting Android users | CTF导航
相关文章
