Menu
NewsSocial MediaTechnology

ESET Research discovers StrongPity APT group’s espionage campaign targeting Android users with trojanized Telegram app

By Rahul Roy
  • ESET researchers identified an active StrongPity campaign distributing a fully functional but trojanized version of the legitimate Telegram app.
  • This is the first time that the described modules and their functionality have been documented publicly.
  • StrongPity’s backdoor is modular and has various spying features, such as recording phone calls, collecting SMS messages, collecting lists of call logs and contact lists, and much more.
  • If the victim grants the malicious StrongPity app notification access and accessibility services, the malware is able to exfiltrate communication from messaging apps such as Viber, Skype, Gmail, Messenger, and Tinder.  
  • A copycat website mimicking Shagle, an adult video-chat service, is used to distribute StrongPity’s mobile backdoor app.
  • The app is a modified version of the open-source Telegram app, repackaged with StrongPity backdoor code.
  • Based on similarities with previous StrongPity backdoor code and the app being signed with a certificate from an earlier StrongPity campaign, we attribute this threat to the StrongPity APT group.

ESET researchers identified an active StrongPity APT group campaign leveraging a fully functional but trojanized version of the legitimate Telegram app, which despite being non-existent, has been repackaged as „the“ Shagle app. This StrongPity backdoor has various spying features: its 11 dynamically triggered modules are responsible for recording phone calls, collecting SMS messages, collecting lists of call logs, and contact lists, and much more.

These modules are being documented publicly for the very first time. If the victim grants the malicious StrongPity app notification access and accessibility services, the app will also have access to incoming notifications from 17 apps such as Viber, Skype, Gmail, Messenger, and Tinder, and will be able to exfiltrate chat communication from other apps. The campaign is likely very narrowly targeted, since ESET telemetry still hasn’t identify any victims. 

Unlike the entirely web-based, genuine Shagle site, which doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download, with no web-based streaming possible. This trojanized Telegram app has never been made available from the Google Play store.

The malicious code, its functionality, class names, and the certificate used to sign the APK file, are the identical to the previous campaign; thus ESET believes with high confidence that this operation belongs to the StrongPity group. Code analysis revealed that the backdoor is modular and additional binary modules are downloaded from the C&C server. This means that the number and type of modules used can be changed at any time to fit the campaign requests when operated by the StrongPity group.

ESET Research discovers StrongPity APT group’s espionage campaign targeting Android users with trojanized Telegram app

“During our research, the analyzed version of malware available from the copycat website was not active anymore and it was no longer possible to successfully install and trigger its backdoor functionality. This is because StrongPity hasn’t obtained its own API ID for its trojanized Telegram app. But that might change at any time should the threat actor decide to update the malicious app,” says Lukáš Štefanko, the ESET researcher who analyzed the trojanized Telegram app.

The repackaged version of Telegram uses the same package name as the legitimate Telegram app. Package names are supposed to be unique IDs for each Android app and must be unique on any given device. This means that if the official Telegram app is already installed on the device of a potential victim, then this backdoored version can’t be installed. “This might mean one of two things – either the threat actor first communicates with potential victims and pushes them to uninstall Telegram from their devices if it is installed, or the campaign focuses on countries where Telegram usage is rare for communication,” adds Štefanko.

StrongPity’s app should have worked just as the official version does for communication, using standard APIs that are well documented on the Telegram website, but it no longer does. Compared to the first StrongPity malware discovered for mobile, this StrongPity backdoor has extended spying features, being able to spy on incoming notifications and exfiltrate chat communication, if the victim grants the app notification access and activates accessibility services.

Read: Amazon Great Republic Day Sale is coming, 17th to 20th January

Previous article
All India Gaming Federation supports the draft rules released by Government for the online gaming sector
Next article
Virat Kohli make an outstanding comeback in cricket by smashing back-to-back ODI centuries

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More like this

Telegram Adult Group Links

Telegram Adult Group Links: How to Join Channels in...

Over the past few years, Messenger has appeared as one of the most widely used social media...
Bollywood Movies Telegram Channel

The Bollywood Movies Telegram Channel: How to Join in...

Bollywood Movies Telegram Channel: You are aware, Bollywood films have a distinct appeal that leaves the audience...

Exclusive: Hottest Telegram Adult Bots You Must Try in...

Looking for the best Telegram adult bots? Explore our curated list of the Top Sexiest Adult Bots...

Exclusive: The Top WhatsApp Alternatives to Consider in 2025

Top 5 WhatsApp Alternatives: Since the world starts realizing the importance of data privacy and security, more...
Ullu Web Series Telegram Channel: Simple Guide to Join Telegram Groups

Ullu Web Series Telegram Channel Links: Easy Guide in...

The Ullu web series has taken the streaming world by storm, offering a wide range of adult...

LATEST NEWS

FAQ

Aston Villa’s Jhon Duran Set for €77m Move to Al Nassr: Medical Imminent

Aston Villa's Colombian forward, Jhon Duran, is on the verge of completing a €77 million transfer to Saudi Arabian giants Al Nassr. Set to...
Read More
Apple

iPhone 17’s Dynamic Island Revealed: No Size Change from iPhone 16

Hey there, Apple fans! If you’ve been keeping up with the latest iPhone rumors, you’ve probably heard some buzz about the iPhone 17 lineup....
Read More
Cricket

Virat Kohli’s Triumphant Return to Ranji Trophy: The Legend Comes Home

With cricket fans buzzing and the Arun Jaitley Stadium packed to the rafters, Virat Kohli made an electric return to the Ranji Trophy after...
Read More
FAQ

Why DeepSeek Is Causing a Stir in the AI Industry in 2025?

It took about a month for the finance world to understand the significance of DeepSeek, but when it did, it did so by knocking...
Read More

Featured

TechnoSports1

ABOUT US

Made by Enthusiasts, Read by geeks and passionates. We serve the best Tech & Sports news for our global readers every day. Catch all the latest news at TechnoSports, join our family now!

Contact us: admin@technosports.co.in

Follow Us

© 2025 TechnoSports Media Group