ESET malware researchers discovered an Android app masquerading as the Shagle app, a video-chat platform. But here’s the kicker: Shagle is a legitimate randomized video-chat service that offers encrypted communication between strangers, but it doesn’t have an Android nor iOS app version.
Pulling the mask off the faux Shagle app, researchers discovered a “trojanized version of the Android Telegram app,” according to the ESET report.
Yes, that Android ‘Shagle’ app is fake
The real Shagle platform is entirely web based, so if you see an app variant, it’s bogus. As mentioned, the app is functional, but under its disguise, it’s simply an infected version of the Telegram app.
This faux Shagle app is being distributed through a fraudulent website impersonating Shagle’s official page. “The copycat site only provides an Android app to download and no web-based streaming is possible,” ESET researchers said.
The trojanized Telegram app, masquerading as Shagle, is outfitted with a backdoor code that can deploy the following spy features on victims:
- recording phone calls
- collecting SMS messages
- snagging victims’ call logs
- spying on contact lists
In addition, after the victim grants the faux Shagle app access to certain services, malicious actors can see incoming notifications. It can also extract communication from 17 apps, including Gmail, Messenger, Skype, Tinder, and more.
The malicious actor behind the faux Shagle app is called StrongPity, according to ESET, a cyberespionage group that’s been active for 11 years. The existence of the group was first brought into public light in 2016, thanks to a report from Kapersky.
It’s no surprise that a faux Shagle website was erected to trick online users into downloading an infected Android app. After all, that’s their modus operandi. StrongPity is known for using phony, misleading websites that give visitors the impression that they’re offering legitimate software tools, but in reality, they’re being baited into downloading infected versions of genuine apps.
While there have been plenty of reports of malicious apps slipping through Google Play’s cracks and wrecking users’ phones, you won’t find the faux Shagle app in any official Android store. This fraudulent app was found outside of the Google Play Store, packaged as an APK, so the moral of the story is simple. Stick to downloading Android games, services and other software goodies from legit stores only.
Fortunately, according to ESET, the copycat Shagle website is no longer active.