An advanced persistent threat actor has been abusing the Syrian e-Government Web Portal to deploy Android malware, security company Trend Micro says.
The espionage campaign has been run by a group of hackers known as StrongPity (codenamed Promethium by Microsoft) that attacked various targets in Turkey and Syria since 2012.
According to researchers from Trend Micro, this is the first time that this group has been using malicious Android apps.
“To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of its attacks,” Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du wrote in a blog post published on Wednesday.
In June 2020, an espionage threat actor launched a series of activities that targeted individuals with watering hole attacks and modified installers. Attackers used popular legitimate applications as lures to infect targets.
“Promethium has been resilient over the years,” Cisco Talos disclosed last year. “Its campaigns have been exposed several times, but that was not enough to make the actors behind it to make them stop. The fact that the group does not refrain from launching new campaigns even after being exposed shows their resolve to accomplish their mission.”
The latest exploit is another example of how the threat actor repackages commonly used applications into trojans.
The malware disguised as the Syrian e-Gov Android application was created in May 2021. It tricks Android users into granting it additional permissions through a modified AndroidManifest.xml file. It also can take over the phone’s settings, read contacts, write to external storage, keep the device awake, access cellular and Wi-Fi networks information, and location.
The app can also execute long-running tasks in the background and trigger a request to a remote control server, which can execute an encrypted payload.
The implant also has the capacity to wipe the device’s data, which includes contacts, Word documents, and images. It can also extract sensitive information such as security keys and passwords and exfiltrate this back to the C2 server.
“We believe that the threat actor is exploring multiple ways of delivering the applications to potential victims, such as using fake apps and using compromised websites as watering holes to trick users into installing malicious applications,” the researchers said.
“Typically, these websites would require its users to download the applications directly onto their devices. In order to do so, these users would be required to enable installation of the applications from ‘unknown sources’ on their devices. This bypasses the ‘trust-chain’ of the Android ecosystem and makes it easier for an attacker to deliver additional malicious components,” they added.