An APT actor was found performing a new campaign by deploying Android malware via the Syrian e-Government Web Portal, indicating an upgraded arsenal designed to compromise victims.
According to Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du, as far as they know, this is the first time that the group has been publicly found using malicious Android applications as part of its attacks.
StrongPity, also called Promethium by Microsoft, was active since at least 2012 and was focused on targets across Turkey and Syria. In June 2020, the espionage threat actor was connected to a wave of activities that banked on watering hole attacks and tampered installers, which abuse the popularity of legitimate applications, to infect targets with malware.
Even though campaigns of Promethium were exposed several times, the actors behind it did not stop. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission.
The malware, masquerading as the Syrian e-Gov Android application, was believed to have been created in May 2021, with the app’s manifest file (“AndroidManifest.xml”) modified to explicitly request additional permissions on the phone, including the ability to read contacts, write to external storage, keep the device awake, access information about cellular and Wi-Fi networks, precise location, and even allow the app to have itself started as soon as the system has finished booting.
The malicious app is also designed to perform long-running tasks in the background and trigger a request to a remote command-and-control (C2) server, which responds back with an encrypted payload containing a settings file that allows the “malware to change its behavior according to the configuration” and update its C2 server address.
The malware also has the capacity to hoover data stored on the infected device, such as contacts, Word and Excel documents, PDFs, images, security keys, and files saved using Dagesh Pro Word Processor (.DGS), among others, all of which are exfiltrated back to the C2 server.
The researchers stated that the threat actor is exploring multiple ways to deliver the applications to potential victims, such as using fake apps and using compromised websites as watering holes to trick users into installing malicious applications.
These websites would require its users to download the applications directly onto their devices. For that the users must enable installation of the applications from ‘unknown sources’ on their devices. This bypasses the ‘trust-chain’ of the Android ecosystem and makes it easier for an attacker to deliver additional malicious components.