Fake Telegram app used to spy on Android devices, says analyst


A spyware program that mimics a web-based video-chat service and the popular social media messaging app Telegram to target Android users has been spotted in the wild by cybersecurity analyst ESET.

Attributed to the threat group known as StrongPity, the fake Telegram app is offered free of charge to the unwary on a dummy version of Shagle – a video-chat service that only offers web-based resources.

Described by ESET as a “trojanized version” of Telegram, the bogus app is believed to have been used by the threat group to spy on targets since November.

“The campaign has distributed a malicious app through a website impersonating Shagle – a random-video-chat service that provides encrypted communications between strangers,” said ESET on its dedicated blog WeLiveSecurity.

“Unlike the entirely web-based, genuine Shagle site that doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download, and no web-based streaming is possible.”

StrongPity is believed to be using the copycat version of the Shagle website and the bogus Telegram app to install a backdoor that allows it to record phone conversations, as well as harvest SMS, call logs, and contact lists.

Worse, if the victim grants access to the StrongPity impostor app, this will enable the threat actors to exfiltrate or steal similar data from 17 other apps, including Viber, Skype, Gmail, Messenger, and Tinder.

ESET adds that the campaign is likely to be “very narrowly targeted” because it has been unable to identify specific victims using telemetry – a process by which data is analyzed to determine the digital health of a potentially compromised system or network.

The analyst says it does not know how victims were lured to the fake Shagle site, adding that it suspected no foul play involving Google Play, the go-to platform for Android users who want to download apps.

“There was no subterfuge suggesting the app was available from Google Play and we do not know how potential victims were lured to, or otherwise discovered, the fake website,” said ESET.

Also known as Promethium, StrongPity has been active since at least 2012 and is believed to be a mercenary espionage outfit that has expanded beyond original targets in the Middle East and Europe to become a global operation.