Security News > 2021 > July > APT Hackers Distributed Android Trojan via Syrian e-Government Portal
An advanced persistent threat actor has been tracked in a new campaign deploying Android malware via the Syrian e-Government Web Portal, indicating an upgraded arsenal designed to compromise victims.
"To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of its attacks," Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du said in a technical write-up published Wednesday.
In June 2020, the espionage threat actor was connected to a wave of activities that banked on watering hole attacks and tampered installers, which abuse the popularity of legitimate applications, to infect targets with malware.
The malware, masquerading as the Syrian e-Gov Android application, is said to have been created in May 2021, with the app's manifest file modified to explicitly request additional permissions on the phone, including the ability to read contacts, write to external storage, keep the device awake, access information about cellular and Wi-Fi networks, precise location, and even allow the app to have itself started as soon as the system has finished booting.
Despite no known public reports of StrongPity using malicious Android applications in their attacks, Trend Micro's attribution to the adversary stems from the use of a C2 server that has previously been used in intrusions linked to the hacking group, notably a malware campaign documented by AT&T's Alien Labs in July 2019 that leveraged tainted versions of the WinBox router management software, WinRAR, and other trusted utilities to breach targets.
"Typically, these websites would require its users to download the applications directly onto their devices. In order to do so, these users would be required to enable installation of the applications from 'unknown sources' on their devices. This bypasses the 'trust-chain' of the Android ecosystem and makes it easier for an attacker to deliver additional malicious components," they added.