The experts at the European IT security manufacturer have identified the APT group StrongPity behind this campaign. Their StrongPity backdoor has various spying functions: Its eleven dynamically triggered modules are responsible, among other things, for recording telephone conversations and collecting SMS messages, call logs and contact lists.

Malicious StrongPity Telegram app accesses communications from many other apps

If affected Android users grant the malicious app access to notifications and services, the application will also have access to incoming notifications from 17 other apps such as Viber, Skype, Gmail, Messenger and Tinder. This allows the malicious program to exfiltrate chat communications from other applications. The ESET experts suspect that the StrongPity backdoor is intended to be used for targeted attacks. They published their analysis on WeLiveSecurity.

The malicious version of the Telegram app was available for download on a website copy of the free webcam chat Shagle. This trojanized application was never available on the Google Play Store.

ESET researchers : Evidence points to StrongPity group

The malicious code, its functionality, class names, and the certificate used to sign the APK file are identical to those used in a previous campaign. Therefore, ESET believes with great certainty that this operation belongs to the StrongPity group. The code analysis revealed that the backdoor is modular and additional binary modules are downloaded from the Command & Control server. This means that the number and type of modules used can be changed at any time to adapt to the needs of the campaign when operated by the StrongPity group.

The malicious version uses the same package name as the legitimate Telegram app. Package names are used to uniquely identify each Android app. Therefore, they must be unique to the Android device. This means that if the official Telegram app is already installed on a potential victim's device, then this infected version cannot be installed.

“This can mean two things: either the attacker first communicates with potential victims and pressures them to uninstall Telegram from their devices if it is already installed. Or the campaign focuses on countries where Telegram is rarely used for communication. … During our investigation, the analyzed version of the malware was no longer active. The backdoor functionality could no longer be installed and triggered successfully. “But that can change at any time if the threat actor decides to update the malicious app.”

ESET researcher Lukás Stefanko, who analyzed the infected Telegram app

What is an APT group?

APT stands for Advanced Persistent Thread and its goal is to gain the most permanent access to a target network and maintain it for as long as possible. It's less about damaging the network being attacked, but rather about behaving inconspicuously and extracting data. These types of attacks usually require a lot of effort and resources and therefore target important targets such as states, authorities or large companies.

The analysis and further technical information is available on WeLiveSecurity .

Source:

Press release
Already read? A current Mimikama fact check: New Year's video with firearms is already 7 years old


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )