A sophisticated threat actor has been identified in a recent campaign utilizing Android malware disseminated through the Syrian e-Government Web Portal. This marks a significant evolution in the actor’s toolkit, reflecting an enhanced capability to exploit vulnerabilities for malicious purposes.
According to researchers from Trend Micro—Zhengyu Dong, Fyodor Yarochkin, and Steven Du—this incident represents the first documented instance of this group leveraging harmful Android applications in their operations. Their findings were detailed in a technical paper released on Wednesday.
The group, known as StrongPity—also referred to as Promethium by Microsoft—has been active since 2012, primarily targeting individuals in Turkey and Syria. Previously, in June 2020, the group was linked to a series of espionage efforts that employed watering hole attacks and malicious installer software to compromise victims through popular applications.
Cisco Talos noted that StrongPity has shown remarkable resilience, continuing its operations despite repeated exposure. Their persistent attempts to exploit vulnerabilities highlight a commitment to achieving their objectives, regardless of past setbacks.
The current operation reinforces the group’s strategy of repackaging legitimate applications into malicious variants, thereby increasing the likelihood of infection among users. The malware, disguised as the Syrian e-Gov Android application, was reportedly created in May 2021. Its manifest file has been altered to request extensive permissions on the device, such as accessing location, contacts, and Wi-Fi information, while enabling the app to execute at system boot.
The malicious application is capable of performing extensive background tasks and establishes communication with a remote command-and-control (C2) server. This server sends back encrypted payloads, allowing the malware to adapt its functionality and update its operational parameters as necessary.
Additionally, the malware’s design permits it to collect and exfiltrate a wide range of sensitive data from the infected device, including documents, images, and security keys, ultimately transmitting them to the C2 server.
Trend Micro attributes this operation to StrongPity based on the utilization of a C2 server previously linked to their activities. This includes a malware campaign noted by AT&T’s Alien Labs in July 2019 that involved compromised software such as WinRAR to conduct intrusions.
Researchers emphasize that the threat actor is diversifying its delivery methods. The group appears to be adopting tactics that involve misleading users into downloading applications from compromised websites, effectively circumventing Android’s security protocols by requiring users to enable installations from “unknown sources” on their devices. This not only increases the risk of infection but also highlights the challenges facing users and businesses in maintaining secure environments against evolving threats.
