The APT group known as StrongPity was found distributing an Android app masquerading as the mobile version of the random video chat website Shagle. The Shagle platform, however, is entirely web based with no official mobile app. Similar to sites like Omegle or Chat Roulette, Shagle offers an encrypted video chat that matches up users at random.
While it is currently unknown how victims are lured to the fake Shagle website, it’s most likely spread via phishing messages through SMS, email, and instant messengers. The fake Shagle website appeared in November 2021, and the first confirmed detection appeared in July 2022. The group uses a fake Shagle website that tricks users into downloading their infected Android app. Once the malicious app is installed by a victim, the threat actors can spy on phone calls, SMS messages, contact lists, and more. The malicious APK file named “video.apk” is actually a modified version of the Telegram app made to appear similar to the Shagle website. Unfortunately for the threat actors, if the victim already has Telegram installed, the malicious Shagle app will not install.
Once the malicious app is installed, it reaches out to the threat actor’s Command and Control (C2) servers and downloads an encrypted set of binaries used to perform the malicious actions. The current list of the malware’s capabilities is listed below:
- libarm.jar – records phone calls
- libmpeg4.jar – collects text of incoming notification messages from 17 apps
- local.jar – collects file list (file tree) on the device
- phone.jar – misuses accessibility services to spy on messaging apps by exfiltrating contact name, chat message, and date
- resources.jar – collects SMS messages stored on the device
- services.jar – obtains device location
- systemui.jar – collects device and system information
- timer.jar – collects a list of installed apps
- toolkit.jar – collects contact list
- watchkit.jar – collects a list of device accounts
- wearkit.jar – collects a list of call logs
By using the Android Accessibility Service, the malicious app is able to read any notifications coming from other installed apps like Snapchat, Tinder, Instagram, Twitter, etc. The threat worsens if the victim Android device is rooted, as the malicious app will grant itself full permissions to perform any actions that are normally restricted.
Binary Defense strongly recommends that Android users source their apps from a trusted source such as the Google Play store. Extreme caution should be used when installing an APK from any other source.