Researchers from Trend Micro have observed a new malware campaign using malicious APK files delivered via Syrian e-Gov site and the researcher attribute this campaign strongly to be from StrongPity APT group.

we learned that the shared sample is a trojanized version of the Syrian e-gov Android application that would steal contact lists and collect files with specific file extensions from its victim’s device.” stated in the Trend Micro blog.

One of the researcher from twitter has pointed out that this malicious APK file might be delivered via syrian gov site through a technique known as “Watering-hole ” attack. Researcher believes there could be the possibility on the compromise of e-Gov site and the legitimate version of APK’s are replaced with the trojanized version of original app.

Trend micro researchers identified that this malicious apk was created during the May 2021 time frame, with additional permission required(declared in AndroidManifest.xml) on the target mobile device for stealing contacts and collecting files with the specific file extensions on the infected

Figure 2. The modified AndroidManifest.xml of the malicious app


  • .asc
  • .dgs
  • .doc
  • .docx
  • .edf
  • .gpg
  • .jpeg
  • .jpg
  • .key
  • .m2r
  • .meo
  • .pdf
  • .pgp
  • .pir
  • .pkr
  • .pub
  • .rjv
  • .rms
  • .sem
  • .sit
  • .skr
  • .sys
  • .xls
  • .xlsx

Two major additional components were added to the malicious version of the application: a service and a receiver. The receiver starts the malicious service. The malicious service is declared as an Android Service, which is an application component that can perform long-running tasks in the background.” stated in the blog post.

Here in, a request will be issued to its C2 servers to get the encrypted payload which allows the malware to change its behavior as per the configuration.

Researchers also conducted some advanced Threat hunting strategies in Virus Total and observed multiple APK files which belonged to the same group with the similar set of malicious code inserted on it

CyberWorkx News readers can find the IOC’s from this link.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s