\n| \n MSG_START_MODULES<\/p>\n<\/td>\n | \n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\nTable 2. Message types defined by the threat actor<\/h5>\nIn this version, MSG_COLLECT is no longer present \u2014 we think they replaced it with MSG_START_MODULES, a message used to read all module names from the shared preference, and start\/initialize them one by one.<\/p>\n We were not able to get access to these modules, but based on some of the code functionality that we observed, we believe that these modules are designed to collect data from the victim\u2019s devices and write the collected data into a local SQLite db data file. However, we were not able to find any of these modules in the wild.<\/p>\n There are also several other key differences between version 1 and version 2 of the trojan:<\/p>\n \n- The message Handler for heartbeat message in version 2 is now split into two messages: heartbeat and taken_config. Either of these messages can receive a response from the C&C server and decrypt the response to update the local configuration, similarly to the version 1.<\/span><\/li>\n
- Version 2 uses different AES encryption keys: key(“aaaanothingimpossiblebbb”), and AES IV(“aaaanothingimpos”)<\/span><\/li>\n
- ScreenReceiver class is added to the second version of the trojan. The purpose of this Receiver is to start the malicious service via Screen_On and Screen_Off events.<\/span><\/li>\n
- Version 2 has an ability to execute \u201csu\u201d command, if the device is rooted. The main usage of the root privilege here is that it could grant permissions silently. Such permissions include accessibility, notification and other. However, we did not find any evidence that the sample would attempt to root the device. <\/span><\/li>\n
- Two components were added in version 2 for accessibility and notification.<\/span><\/li>\n
- Version 2 uses SQLite to store collected data. Furthermore, it no longer uses ZIP.<\/span><\/li>\n
- In Version 2, the extra modules used in \u201cMSG_START_MODULES\u201d are downloaded from the C&C server via either the heartbeat or taken_config message. It\u2019s possible that these modules are decompressed as part of the response into <DIR>\/.android\/.li and consequentially executed.<\/span><\/li>\n<\/ul>\n
This investigation has provided evidence to attribute the Android malware sample, which was posted on the Syrian e-Gov website, to the StrongPity threat group. We were also able to identify additional Android trojan files and correlate these malicious Android applications with existing public reports based on their similarities to the threat actor\u2019s TTPs and network infrastructure they used.<\/p>\n Although there are no previously known malicious Android applications attributed to the StrongPity group, we strongly believe that the threat actor is in the process of actively developing new malicious components that can be used to target Android platforms.<\/p>\n We believe that the threat actor is exploring multiple ways of delivering the applications to potential victims, such as using fake apps and using compromised websites as watering holes to trick users into installing malicious applications. Typically, these websites would require its users to download the applications directly onto their devices. In order to do so, these users would be required to enable installation of the applications from \u201cunknown sources\u201d on their devices. This bypasses the \u201ctrust-chain\u201d of the Android ecosystem and makes it easier for an attacker to deliver additional malicious components.<\/p>\n |
![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/g\/strongpity-apt-group-deploys-android-malware-for-the-first-time\/strongpity-android-641.png\")
<\/p>\n