APT Hackers Spread Android Trojan Through Syrian E-Government Portal

APT Hackers Spread Android Trojan Through Syrian E-Government Portal

Hello hackers,

Let’s read some Cybersecurity Blog’s

Today we will read some news update that happens in the world regarding cybersecurity.

APT Hackers used the Syrian e-government web portal to distribute the Android Trojan to compromise the victim phones.

This was the first time that the group has publicly observed using the malicious android applications as a part of attacks.” Trend Micro Researchers Zhengyu Dong, Fyodor Yaarochkin & Steven Du technically said in his write-up published on Wednesday.

Strongpity also codenamed Promethium by Microsoft, is believed to have been active since 2012 and they have mainly targeted Turkey & Syria. In July 2020 espionage threat actor was connected to the wave of activities that banked on the watering hole attacks and tampered installer which misuses the popularity of lawful applications, to infect the victim phone with malware.

Promethium has been resilient over the years, Cisco Talos disclosed last year. The Latest Operation is no different in that it underscores the threat actor’s propensity towards replacing benign applications into trojanized variants to facilitate the attacks.

The malware, disguised as the Syrian e-Gov Android application, is said to have been created in May 2021, with the app’s manifest fileAndroidManifest.xml modified to explicitly request additional & unusual permissions to the phone, including the ability to the precise location, write to external storage, read the contact, access sensitive information, & wifi networks.

The application works for a remote command-and-control (C2) server, which responds back with an encrypted payload containing a settings file that allows the malware to change its behavior according to the configuration and update its C2 server address.

The highly modular implant has the capacity to hoover data stored on the infected device, such as contacts, Word and Excel documents, PDFs, images, security keys, and files saved using Dagesh Pro Word Processor (.DGS), among others, all of which are exfiltrated back to the C2 server.

Mainly to download the malicious application from the web portal to the victim phone requires the victim device should enable the installation from unknown sources. This surely bypasses the trust chain of the Android ecosystem.

We believe that nowadays hackers are using the potential technique to infect the victim system or phone through applications such as using fake apps, hiding trojan behind reputed apps via manipulation of its Java & XML codes.

The only request to all the people that the android warns that not to download it. And you should have the best anti-virus to protect it.

Now it’s over for today, its time to say GOODBYE for now…

Happy Hacking!!

Share this post

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *