StrongPity APT Group Deploys Android Malware for the First Time Sr. Threat Researcher Mobile Threats Analyst

If we examine another StrongPity sample (12818a96211b7c47863b109be63e951075cf6a41652464a584dd2f26010f7535), the logic is similar — it drops a normal installer into the Temp directory and creates a directory for dropped malicious files.

Here are three notable similarities between the Windows sample and the Android sample:

1.    They all disguised as normal apps by utilizing the original clean applications — the Android sample repacks the original one into a trojanized version, while the Windows sample uses a trojanized installer packed with the original program.

2.    Both collect and exfiltrate files from the infected device.

3.    Both are highly modular. The Windows sample has a standalone Exfiltration and File Search module, a feature that could also be seen in the latest test Android sample.

We found several clues that link the malicious Android samples with the StrongPity threat actor.

The sample 74582c3d920332117541a9bbc6b8995fbe7e1aff communicates with the URL  https://www.upn-sec3-msd[.]com/ProxyServer/service/.  The domain name “upn-sec3-msd[.]com” was mentioned in another StrongPity report.

The domain naming pattern and domain acquisition techniques are quite similar. For example, the domain names used by StrongPity in 2020 have a domain naming pattern similar to the domains used by the identified Android samples.

One of the domain names, networktopologymaps[.]com, was likely bought when registration at Gandi expired. The domain was acquired via the Porkbun network registrar.

This is similar to the domain hostoperationsystems[.]com, which was previously mentioned in the Talos report. This domain was also acquired via Porkbun and features a comparable domain naming pattern.

Another notable point of correlation to StrongPity is the list of file extensions, which we have seen in Android samples. A similar list of the file extensions for the files is presented in variants of the trojan for Windows systems. For example, one of the samples that we had examined earlier, gathers files with the following extensions:

  • .7z
  • .asc
  • .dgs
  • .doc
  • .docx
  • .gpg
  • .pdf
  • .pgp
  • .ppt
  • .pptx
  • .rar
  • .rjv
  • .rms
  • .rtf
  • .sft
  • .tc
  • .txt
  • .xls
  • .xlsx

As we previously mentioned, there are no public reports of the StrongPity threat actor using malicious Android applications in the attack. However, we examined the trojan code-embedding techniques as well as the trojan functionality of the malicious code written by the same threat actor for Windows platforms, and we have identified some similar patterns. This leads us to believe that these could belong to the same threat actor.

StrongPity actively develops new malicious android apps

We believe that the StrongPity Threat actor is actively developing backdoors for Android. Based on the test sample that we have identified, we can see that the threat actor attempts several techniques to lure potential victims: repackaged applications, compromised websites, and fake variants of popular applications.

Based on the additional functionalities that we identified in the fake Samsung security service application (75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b), we think that among the APK files that we had identified, the repackaged applications are bundled with the first version of the Android trojan, while the fake application could be a work in progress for the next version of the tool.

In the second version, we observed the threat actor developed and included some additional components and as well as added support for more message types.

The following table shows the types that the threat actor has defined.

Message type

Details

MSG_ADD_MODULE

Add a new module

MSG_GET_MODULE

Get the module instance

MSG_DEL_MODULE

Delete module file under <DIR>/.android/.li/<module name>

MSG_DEL_APK

Delete the APK file under the download directory

MSG_START_MODULES

Table 2. Message types defined by the threat actor

In this version, MSG_COLLECT is no longer present — we think they replaced it with MSG_START_MODULES, a message used to read all module names from the shared preference, and start/initialize them one by one.

We were not able to get access to these modules, but based on some of the code functionality that we observed, we believe that these modules are designed to collect data from the victim’s devices and write the collected data into a local SQLite db data file. However, we were not able to find any of these modules in the wild.

There are also several other key differences between version 1 and version 2 of the trojan:

  • The message Handler for heartbeat message in version 2 is now split into two messages: heartbeat and taken_config. Either of these messages can receive a response from the C&C server and decrypt the response to update the local configuration, similarly to the version 1.
  • Version 2 uses different AES encryption keys:  key(“aaaanothingimpossiblebbb”), and AES IV(“aaaanothingimpos”)
  • ScreenReceiver class is added to the second version of the trojan. The purpose of this Receiver is to start the malicious service via Screen_On and Screen_Off events.
  • Version 2 has an ability to execute “su” command, if the device is rooted. The main usage of the root privilege here is that it could grant permissions silently. Such permissions include accessibility, notification and other. However, we did not find any evidence that the sample would attempt to root the device.
  • Two components were added in version 2 for accessibility and notification.
  • Version 2 uses SQLite to store collected data. Furthermore, it no longer uses ZIP.
  • In Version 2, the extra modules used in “MSG_START_MODULES” are downloaded from the C&C server via either the heartbeat or taken_config message. It’s possible that these modules are decompressed as part of the response into <DIR>/.android/.li and consequentially executed.

This investigation has provided evidence to attribute the Android malware sample, which was posted on the Syrian e-Gov website, to the StrongPity threat group. We were also able to identify additional Android trojan files and correlate these malicious Android applications with existing public reports based on their similarities to the threat actor’s TTPs and network infrastructure they used.

Although there are no previously known malicious Android applications attributed to the StrongPity group, we strongly believe that the threat actor is in the process of actively developing new malicious components that can be used to target Android platforms.

We believe that the threat actor is exploring multiple ways of delivering the applications to potential victims, such as using fake apps and using compromised websites as watering holes to trick users into installing malicious applications. Typically, these websites would require its users to download the applications directly onto their devices. In order to do so, these users would be required to enable installation of the applications from “unknown sources” on their devices. This bypasses the “trust-chain” of the Android ecosystem and makes it easier for an attacker to deliver additional malicious components.

SHA256

Description

Detection

fd1aac87399ad22234c503d8adb2ae9f0d950b6edf4456b1515a30100b5656a7

The trojanized version of the Syria eGov Application

AndroidOS_StrongPity.HRX

374d92f553c28e9dad1aa7f5d334a07dede1e5ad19c3766efde74290d0c49afb

Sample repackaged from Kingoroot

AndroidOS_StrongPity.HRX

a9378a5469319faffc48f3aa70f5b352d5acb7d361c5177a9aac90d9c58bb628

                                                                                       

Sample repackaged from net.cybertik.wifi

AndroidOS_StrongPity.HRX

be9214a5804632004f7fd5b90fbac3e23f44bb7f0a252b8277dd7e9d8b8a52f3

Repackaged from Snaptube

AndroidOS_StrongPity.HRX

596257ef017b02ba6961869d78a2317500a45f00c76682a22bbdbd3391857b5d

Repackaged from Snaptube

AndroidOS_StrongPity.HRX

75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b

Fake Samsung Security Service sample

AndroidOS_StrongPity.HRX


Network C&C Infrastructure

SHA256

Domain

Detection

fd1aac87399ad22234c503d8adb2ae9f0d950b6edf4456b1515a30100b5656a7

Internetwideband[.]com

AndroidOS_StrongPity.HRX

374d92f553c28e9dad1aa7f5d334a07dede1e5ad19c3766efde74290d0c49afb

upeg-system-app[.]com

AndroidOS_StrongPity.HRX

a9378a5469319faffc48f3aa70f5b352d5acb7d361c5177a9aac90d9c58bb628

                                                                                       

networktopologymaps[.]com

AndroidOS_StrongPity.HRX

be9214a5804632004f7fd5b90fbac3e23f44bb7f0a252b8277dd7e9d8b8a52f3

networktopologymaps[.]com

AndroidOS_StrongPity.HRX

596257ef017b02ba6961869d78a2317500a45f00c76682a22bbdbd3391857b5d

upeg-system-app[.]com

AndroidOS_StrongPity.HRX

75dc2829abb951ff970debfba9f66d4d7c6b7c48a823a911dd5874f74ac63d7b

upn-sec3-msd[.]com

AndroidOS_StrongPity.HRX

Read More HERE