Android users are being targeted by hackers using a fake Shagle video chat app

StrongPity APT Hacking Group is spreading a fake Shagle Chat app. It is trojanized and has an additional backdoor.

Shagle, a genuine random-video chat platform that allows strangers to communicate via encrypted communication channels, is legitimate. The platform works only online and does not have a mobile application.

StrongPity was found to be using a fake website in 2021, imitating the Shagle website, to lure victims into downloading malicious Androids.

This app allows hackers to spy on targeted victims by monitoring their phone calls and collecting SMS text messages. They can also grab contact lists.

StrongPity (also known as Promethium, or APT-C-41) was once attributed to a campaign which distributed , and infected targets with malware.

ESET researchers discovered the latest StrongPity activity. They attributed it to an espionage APT team based code similarities to past payloads.

The Android app has been that the APT used for signing an app which imitated the Syrian egov Android application during a 2021 campaign.

Trojanizing Android Telegram

StrongPity distributed a malicious Android app called “video.apk” which is a modified Telegram v7.5.0 app (February 20,222) to appear as a Shagle app.

ESET could not determine the source of victims arriving at fake Shagle websites, but they are likely to have used spear phishing email, SMS phishing, or other instant messaging on online platforms.

This malicious APK was downloaded directly from Shagle’s fake site. It has not been available on Google Play.

ESET states that the first cloned website appeared online in November 2021. Therefore, the APK likely has been available for distribution ever since. The of the wild was made in July 2022.

Telegram is not the best choice for hacking groups. The backdoored Telegram version will be removed from victims who already have the Telegram app.

The API ID in captured samples is currently limited. Therefore, trojanized apps will not accept any new registrations.

ESET thinks this means that StrongPity successfully distributed the malware to targeted victims.

Spy on victims using backdoor

After installation, malware asks for access to Accessibility Services and fetches an AES encrypted file from the attacker’s command and control servers.

The file contains 11 binary modules that were extracted from the device. They are used by the backdoor for malicious functions.

Every module is capable of performing an espionage function, and can be triggered when necessary. Below is a complete listing of malicious spyware modules.

• libarm.jar – records phone calls
• libmpeg4.jar collects the text from 17 apps’ incoming notifications messages
• Local.jar collects files (file trees) from the device
• Phone.jar: Uses accessibility services to spy upon messaging apps, exfiltrating chat message and contact name
• Resources.jar collects all SMS messages on your device
• services.jar – obtains device location
• Systemui.jar collects system and device information
• Timer.jar collects the list of apps installed
• Toolkit.jar collects contacts
• Watchkit.jar collects information about device accounts
• Wearkit.jar collects call logs

All data gathered is saved in the app directory and encrypted using AES. It then gets sent to the attacker’s command-and control server.

The malware is able to read notifications from Messenger, Viber and Skype as well as Snapchat, Tinder.

Rooted devices with administrator privileges allow malware to make changes to security settings and write files on the system. It can also perform dangerous tasks such as rebooting the computer.

Since 2012, the StrongPity hacking organization has been actively involved in hiding backdoors within legitimate software installs. ESET reports that the threat actor uses the same tactics after 10 years.

Android users need to be careful with APKs downloaded from Google Play. Also, pay close attention to permissions requests when installing new apps.