Caution Android! They detect a dangerous espionage campaign that has been operating since the end of 2021

Again the cybercriminals they follow the trends The Internet. Now they decided to clone one page communication by video call which allows users to all parts of the world to know one or more people at the same time to have conversations “private” With strangers. Happiness Platform is part of the youngest services that exist in the branch of this industry because they started it a long time ago only five years. However, it has already gained popularity in various parts of the globe and the main reason is that it is available in more than 70 countries. However, a latent threat hangs over the android users and falls into the installation of a application which ends up spying on its users.

The campaign runs from the end of 2021

Due to the great popularity that said Platform —only available for desktop version-, ESET, the company specializing in the detection of digital threats, has identified a bell —which to this day is still in force— property of the StrongPity APT Group. He distributes a malicious version of Telegram to android presented as a apps call shagle, what is video chat service It does not have a mobile version. Since November 2021 the spread of this malware was made present by a website who pretends to be shake.

Unlike the legitimate page, offers internet users a fake app to android for those who are interested in downloading it and of course canceled service for the web version. It works like a modular with various spy functions. He is also known as a “StrongPity Backdoor”. To be clearer, he has 11 mods activated dynamically that allow the application:

• Record phone calls.
• Collect text messages.
• Access the list of call logs.
• Access to the contact list, and much more.

if the victim allows the apps malicious The Accessibility Service, one of his mods You will also have access to notifications incoming calls and may exfiltrate communication from 17 apps, between them Viber, Skype, Gmail, Messenger and Tinder.

How does this malware work?

ESET specialists focus on make some key points of happiness research, they came to the conclusion that:

• For distribute the fake application with the features of “StrongPity backdoor” – i.e. with spy modules – use the cloned website Shagle, who perfectly imitates the officer.
• The application who is Download of fake website it’s a modified version of Telegram. Let us remember that being a open source app can be refurbished with the coded of “the backdoor of the StrongPity group”.
• This threat is attributed to StrongPity APT Group Due to code similarities with him “backdoor” used in a Bell of spying old. It is also signed and certified by “Great pity”.
• The “StrongPity backdoor” is modular and has various functions of spying. All the binary modules necessary are encrypted through AES which are downloaded from c&c server, to control the malware.
  • What is it “Advanced Encryption Standard”, Also known as “Rijndael”. A block cipher scheme adopted as encryption standard by the government of United States and created in Belgium.
• It is the first time that the modules described Yes Functionality of “Strong Mercy” I know publicly document.

“The malicious app is, in fact, a fully functional but trojan version of the legit Telegram app. However, it poses as Shagle’s app, which does not exist. We will call this app the fake app Shagle, the Trojanized Telegram app or the StrongPity backdoor,” said ESET Latin America Branch Specialist Camilo Gutiérrez Amaya.

this is what it looks like

The campaign is likely to target a goal very specific and limited because I don’t know yet identify possible victims. During the investigation shared by ESET, it concluded that the analyzed version of the malware -available at fake website- Already it is not active. So, could not install properly Yes activate its functionality. However, they clarified that this could change at any time if the attacker decided to update the malicious application and restart his reign of espionage. It should be noted that the people concerned by this campaign would be, mainly, the users of Android. We must point out that it works through the interface of Telegram, so even if it looks real, it’s not!

“The fake Shagle app was hosted on the website posing as the official Shagle website, from where the victims had to download and install the app. There was no subterfuge to suggest that the app was available on Google Play and we don’t know how potential victims were lured into or found out about the fake website,” ESET’s Gutiérrez Amaya concluded.

How can I protect myself if I fall victim to this scam?

• Delete the app immediately.
• Even if it costs you more work, your safety comes first, so:
  • Reset your phone to factory settings.
  • If you can change your passwords for social media, banking apps, etc., do it!
  • You can install an antivirus to detect this type of fraud in time.
• Skip the installation of the Apps that are not with your official provider, such as the Google Play Store or the App Store.

Keep reading:

• What’s wrong with you! Spot Fake Online Jobs With These 5 Signs
• The Last of Us premiere will bring with it dangerous cyber scams, so you can protect yourself
• Let’s talk about something annoying, your digital heritage: step by step to configure all platforms
• Fingerprinting: start on the right foot and use these 7 steps to erase your online presence