Menu
NewsSocial MediaTechnology

ESET Research discovers StrongPity APT group’s espionage campaign targeting Android users with trojanized Telegram app

By Rahul Roy
  • ESET researchers identified an active StrongPity campaign distributing a fully functional but trojanized version of the legitimate Telegram app.
  • This is the first time that the described modules and their functionality have been documented publicly.
  • StrongPity’s backdoor is modular and has various spying features, such as recording phone calls, collecting SMS messages, collecting lists of call logs and contact lists, and much more.
  • If the victim grants the malicious StrongPity app notification access and accessibility services, the malware is able to exfiltrate communication from messaging apps such as Viber, Skype, Gmail, Messenger, and Tinder.  
  • A copycat website mimicking Shagle, an adult video-chat service, is used to distribute StrongPity’s mobile backdoor app.
  • The app is a modified version of the open-source Telegram app, repackaged with StrongPity backdoor code.
  • Based on similarities with previous StrongPity backdoor code and the app being signed with a certificate from an earlier StrongPity campaign, we attribute this threat to the StrongPity APT group.

ESET researchers identified an active StrongPity APT group campaign leveraging a fully functional but trojanized version of the legitimate Telegram app, which despite being non-existent, has been repackaged as „the“ Shagle app. This StrongPity backdoor has various spying features: its 11 dynamically triggered modules are responsible for recording phone calls, collecting SMS messages, collecting lists of call logs, and contact lists, and much more.

These modules are being documented publicly for the very first time. If the victim grants the malicious StrongPity app notification access and accessibility services, the app will also have access to incoming notifications from 17 apps such as Viber, Skype, Gmail, Messenger, and Tinder, and will be able to exfiltrate chat communication from other apps. The campaign is likely very narrowly targeted, since ESET telemetry still hasn’t identify any victims. 

Unlike the entirely web-based, genuine Shagle site, which doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download, with no web-based streaming possible. This trojanized Telegram app has never been made available from the Google Play store.

The malicious code, its functionality, class names, and the certificate used to sign the APK file, are the identical to the previous campaign; thus ESET believes with high confidence that this operation belongs to the StrongPity group. Code analysis revealed that the backdoor is modular and additional binary modules are downloaded from the C&C server. This means that the number and type of modules used can be changed at any time to fit the campaign requests when operated by the StrongPity group.

ESET Research discovers StrongPity APT group’s espionage campaign targeting Android users with trojanized Telegram app

“During our research, the analyzed version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install and trigger its backdoor functionality. This is because StrongPity hasn’t obtained its own API ID for its trojanized Telegram app. But that might change at any time should the threat actor decide to update the malicious app,” says Lukáš Štefanko, the ESET researcher who analyzed the trojanized Telegram app.

The repackaged version of Telegram uses the same package name as the legitimate Telegram app. Package names are supposed to be unique IDs for each Android app and must be unique on any given device. This means that if the official Telegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed. “This might mean one of two things – either the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed, or the campaign focuses on countries where Telegram usage is rare for communication,” adds Štefanko.

StrongPity’s app should have worked just as the official version does for communication, using standard APIs that are well documented on the Telegram website, but it no longer does. Compared to the first StrongPity malware discovered for mobile, this StrongPity backdoor has extended spying features, being able to spy on incoming notifications and exfiltrate chat communication, if the victim grants the app notification access and activates accessibility services.

Read: Amazon Great Republic Day Sale is coming, 17th to 20th January

Previous article
All India Gaming Federation supports the draft rules released by Government for the online gaming sector
Next article
Virat Kohli make an outstanding comeback in cricket by smashing back-to-back ODI centuries

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More like this

EXCLUSIVE: The Naughtiest Telegram Adult Bots as of 2025

Looking for the best Telegram Adult Bots in 2025? Explore our curated list of the Top Sexiest...
Ullu Web Series Telegram Channel: Simple Guide to Join Telegram Groups

Ullu Web Series Telegram Channel Links 2025: An Easy...

Ullu Web Series Telegram Channel Links: The Ullu web series has taken the streaming world by storm,...
Telegram Adult Bots

Telegram Adult Group Links: How to Join Channels in...

Telegram Adult Group Links in 2025: Over the past few years, Messenger has appeared as one of...
Bollywood Movies Telegram Channel

Best Bollywood Movies Telegram Channel: How to Join in...

Bollywood Movies Telegram Channel in 2025: You are aware, Bollywood films have a distinct appeal that leaves...
Exclusive: The Top 10 Best Telegram Bots that You Must Try

UPDATED: Top 10 Best Telegram Bots that You Must...

You can include tiny, automated computer programs called "Telegram bots" in your channels or chats on the...

LATEST NEWS

FAQ

Mats Hummels to Hang Up His Boots At The Age of 36: German Defender Set for Retirement at Season’s End

German football legend Mats Hummels has officially confirmed he will retire from professional football at the end of the current season. The 36-year-old centre-back,...
Read More
FAQ

Spanish Dani Olmo Cleared to Play for Barcelona As CSD Overrules La Liga’s Decision

Barcelona’s battle to register Dani Olmo and Pau Victor has finally come to an end, with Spain's National Sports Council (CSD) ruling in the...
Read More
FAQ

Final Fantasy 9 Remake Speculation Grows After Anniversary Site Launch

Square Enix has reignited excitement for a potential Final Fantasy 9 remake by launching an official website celebrating the game's 25th anniversary. The new...
Read More
Cricket

IPL 2025: LSG Edge MI in Thriller as Marsh, Markram Shine and Avesh Holds Nerve at Death

Tilak Varma retired out while Hardik Pandya took charge of strike rotation, but their late push wasn’t enough as Mumbai Indians (MI) fell short...
Read More

Featured

TechnoSports1

ABOUT US

Made by Enthusiasts, Read by geeks and passionates. We serve the best Tech & Sports news for our global readers every day. Catch all the latest news at TechnoSports, join our family now!

Contact us: admin@technosports.co.in

Follow Us

© 2025 TechnoSports Media Group