The StrongPity APT hacking group is distributing a fake Shagle chat app that is a trojanized version of the Telegram for Android app with an added backdoor.
Shagle is a legitimate random-video-chat platform allowing strangers to talk via an encrypted communications channel. However, the platform is entirely web-based, not offering a mobile app.
StrongPity has been found using a fake website since 2021 that impersonates the actual Shagle site to trick victims into downloading a malicious Android.
Once installed, this app enables the hackers to conduct espionage on the targeted victims, including monitoring phone calls, collecting SMS texts, and grabbing contact lists.
StrongPity, also known as Promethium or APT-C-41, was previously attributed to a campaign that distributed trojanized Notepad++ installers and malicious versions of WinRAR and TrueCrypt to infect targets with malware.
The latest StrongPity activity was discovered by ESET researchers who attributed the campaign to the espionage APT group based on code similarities with past payloads.
Additionally, the Android app is signed with the same certificate the APT used to sign an app that mimicked the Syrian e-gov Android application in a 2021 campaign.