According to ESET’s report, the malicious campaign mimicking Shagle has been active since November 2021. It consisted of a fake mirror site and a trojanized application pretending to be Shagle but, in reality, being a modified copy of Telegram. The campaign, associated with StrongPity APT (advanced persistent threat), was most likely designed to target a narrow group of Android users.
Shagle is a free platform that offers messaging and video-chatting functionality. It is only a web-based service, which means there is no official Shagle mobile app for Android phones or iPhones.
However, hackers took advantage of the service’s popularity to distribute a mobile app impersonating Shagle. The app was, in fact, a functioning but trojanized copy of Telegram messenger. The fake app contained a backdoor known as StrongPity and was capable of performing various spying operations, such as:
- gathering text messages
- recording phone calls
- intercepting contact lists
- and more.
The creators of the fake Shagle app used a mirror site to distribute the malware. The website looked very similar to the official Shagle site but included a button that allowed users to download the fake app.
According to ESET, the malware was designed for a narrow group of Android users, as cyber experts have yet to discover any actual victims of the campaign.
It is possible that links to the mirror copy of Shagle’s website were distributed to precisely selected targets in phishing emails and via instant messaging applications.
A trojan is short for “trojan horse.” As in Greek mythology, a trojan is designed to fool someone into thinking they are using something safe and legitimate.
Trojans resemble normal applications and are functional but are actually modified to perform malicious actions. Most often, they are designed to spy on victims (get their data, passwords, etc.) or open backdoors that hackers can use in the future and break into the victim’s device.
It is possible, but not certain, that the fake Shagle app was intended for chosen targets. The StrongPity backdoor was already inactive due to API ID overuse on the day it was discovered. This means that its creators either made a mistake when designing the campaign or succeeded in achieving their goals and the application was no longer needed.
Either way, hackers and cybercriminals are particularly active these days. How can you stay safe?
- Trust only official websites. The StrongPity malware situation proves that a website can look perfectly “normal” and yet be owned by malicious parties. This is why you should not trust links and files you may receive from unknown sources via email or messaging apps.
Always check if the website you are on is safe:
- Look for the closed padlock symbol near the address bar, but remember that hackers can also buy certificates for their sites.
- Check the companies’ social media. They may have noticed someone trying to impersonate them and warn their users.
- Visit the website by typing the address manually or doing a Google search rather than using a link someone sent you.
- Use antivirus programs and additional software. Have an antivirus program on at all times. On top of that, use other security software. For example, NordVPN Threat Protection will increase your online security by blocking potentially malicious websites and scanning downloaded files.
- Beware of social engineering scams. Some hackers do not rely on technology but rather use people’s trust against them. They distribute malware by linking it in emails or instant messages, claiming to be trusted parties, such as coworkers, company CEOs, or charities.
Always make sure you know who you are talking to. Remember that scammers can dig up your information (e.g., by following your social media) and use it to gain your trust or give the impression that they know you in real life.