StrongPity APT Group Hacked An Official Gov website to Deliver Android Malware

The StrongPity APT hacking group has recently expanded its hacking activities with its Android malware. And to do so, the group has targeted the Syrian e-Government portal to distribute the Android trojan.

All these things clearly indicating that it’s an upgraded arsenal of the StrongPity APT hacking group that is specifically designed to compromise the victims.

While the researchers affirmed that they have observed this group using malicious Android apps as part of their cyberattacks for the very first time.

SIEM as a Service

StrongPity APT Group

The primary targets of the StrongPity APT group is to target Turkey and Syria, and it’s believed that the StrongPity APT group is active since 2012. Apart from this, the security researchers at Microsoft have codenamed the StrongPity as “Promethium.”

In the previous year, June 2020 this group was identified to be connected with several espionage activities in which they infected their targets with malicious and fake legitimate apps; here they abused the fame of genuine apps to infect their targets.

Technical Investigation and Analysis

The security experts at Trend Micro security firm have claimed that the hackers have compromised the e-Government portal of the Syrian government, and then they replaced the authentic app with a malicious app.

During the investigation, the researchers detected that the hackers have hosted a malicious APK file on the following URL:-

  • https://egov[.]sy/mobile/egov[.]apk

And this malicious app is capable of stealing contact lists and files with a specific extension from the victim’s device, like:-

  • Word documents
  • Excel documents
  • PDF files
  • Images
  • Security keys
  • Files saved with Dagesh Pro Word Processor (.DGS)

Once the hackers steal these data from the targeted device, later they send them to the server operated by the threat actors. And according to the security analysts, they detected six malicious samples with the same app name and package names:-

  • Apps Name: “بوابتي”
  • Package Names: com.egov.app.*

Moreover, the malicious version of the app asks for additional permissions on the phone than the original ones, and here they are:-

  • View contacts
  • Read and write external storage
  • Keep the device awake
  • Access geolocation information
  • Telecom operator information
  • Wi-Fi networks information
  • Auto start after booting
StrongPity APT

Along with these tasks, the malicious app planted by the hackers can also perform long-running tasks in the background, and even initiate requests to the C&C server as well.

And here the malware changes its behavior according to its configuration with the help of a configuration file sent within an encrypted payload.

Pre-defined File Extensions Abused

Here is the list of pre-defined file extensions that were explored and abused by the hackers:-

  • .asc
  • .dgs
  • .doc
  • .docx
  • .edf
  • .gpg
  • .jpeg
  • .jpg
  • .key
  • .m2r
  • .meo
  • .pdf
  • .pgp
  • .pir
  • .pkr
  • .pub
  • .rjv
  • .rms
  • .sem
  • .sit
  • .skr
  • .sys
  • .xls
  • .xlsx
  • .7z
  • .ppt
  • .pptx
  • .rar
  • .rtf
  • .sft
  • .tc
  • .txt

Cybersecurity researchers have asserted that hackers are implementing several methods to deliver malicious app to infect their victims.

So, that’s why they have strongly recommended all the users to turn off the installation of the applications from the “unknown sources” feature on their Android devices. 

Since if you don’t turn off this feature then it will help an attacker to implant their malware on the targeted device.

Balaji N
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.