Trojanised Telegram, a fake Pokemon NFT game and other cybersecurity events

We have gathered the week’s most important cybersecurity news.

Users fall victim to espionage by trojanised Telegram

ESET researchers uncovered a fake Shagle app, a trojanised version of the Telegram Android app with a backdoor added to its code.

This week, the ESET research team published their findings about an espionage campaign by the StrongPity APT group that spreads a fully functional, but trojanized version of the legitimate Telegram app for Android.

▶️ Watch #WeekInSecurity with @TonyAtESET to learn more. pic.twitter.com/Ch7fZIYDuc

— ESET (@ESET) January 13, 2023

The malware distribution is attributed to the hacker group StrongPity.

The legitimate Shagle platform provides random encrypted video chats, but it is web-first and has no dedicated mobile app. Since 2021, StrongPity has distributed malware masquerading as the official Shagle site.

After installation, the app allows hackers to monitor victims by recording calls, tracking device location, collecting SMS messages, call logs, contacts, and files. The collected data ultimately makes its way to the hackers’ command-and-control server.

The malware’s permissions enable it to read incoming notifications and messages from various apps, including Gmail, Kik, LINE, Facebook Messenger, Skype, Snapchat, Telegram, Tinder, Twitter, Viber and WeChat.

Additionally, on devices with full administrative privileges, the malware can automatically change security settings, write data to the filesystem, and reboot the phone.

ESET analysts suspect that links to the fake Shagle site were spread via phishing email campaigns, SMS phishing, or instant messages on online platforms.

The hackers’ site is currently inactive.

Fake Pokemon NFT game allowed hackers to gain control of Windows devices

Through a fake Pokemon card game site, attackers distribute the NetSupport remote access tool to gain control over victims’ devices. According to experts at ASEC.

According to the site, the strategy game is based on the Pokemon franchise and promises users extra earnings from NFT investments.

Clicking the ‘Play on PC’ button downloads an executable that looks like a standard game installer but actually installs the NetSupport remote access tool on the victim’s system. Although NetSupport Manager is legitimate software, attackers typically use it in their malware campaigns.

It enables hackers to remotely connect to the infected device to steal data, install other malware, or attempt further propagation across the network.

The first signs of activity for this campaign appeared in December 2022. At the time of writing, the site was still accessible.

Data of 200 million Twitter users exposed online

Another Twitter user data leak was documented on the well-known Breached hacker forum. As reported by Bleeping Computer, the 59-GB dump contains information on 200 million profiles.

The hacker valued the database at $2.

In total, 211,524,284 unique email addresses were exposed. The dump also includes names, usernames, follower counts and account creation dates.

Twitter representatives stated that user information was not obtained through the previously identified vulnerability in the API related to the Android client authentication process.

In December 2021, that vulnerability could be used to send phone numbers and email addresses to obtain a Twitter ID. The bug was fixed in January 2022.

«The aforementioned dataset of 200 million users cannot be correlated with the incident previously reported or any information obtained from exploiting Twitter systems», — said Twitter representatives.

Twitter stressed that the dump did not contain passwords or information that could lead to password compromises.

MetaMask warns of a new cryptocurrency scam

The non-custodial wallet MetaMask warned of a new scam called ‘Address Poisoning,’ which makes users send funds to the scammer instead of the intended recipient.

A new scam called ‘Address Poisoning’ is on the rise. Here’s how it works: after you send a normal transaction, the scammer sends a $0 token txn, ‘poisoning’ the txn history. (1/3)

— MetaMask Support (@MetaMaskSupport) January 11, 2023

Hackers poison the transaction history and replace wallet addresses with ones that resemble those used in recent transfers.

Then the attacker sends a small amount of cryptocurrency to the victim’s address or even a zero-value transaction so it shows up in the wallet history. Because MetaMask shortens addresses in the transaction history, it creates the impression that this is the same person’s address.

The attacker then waits for the victim to use his address in a subsequent transfer.

There is no foolproof way to prevent this kind of fraud, so MetaMask warns users to be careful when copying addresses from transactions.

Darknet marketplaces shift to Android apps

From Q3 2022, drug-trafficking darknet marketplaces began using their own Android apps to increase privacy and avoid law enforcement attention, according to Resecurity.

Resecurity has released a report on drug trafficking in the Dark Web, highlighting the new communication methods used by criminals such as proprietary Android-based mobile apps and the launch of the new underground marketplace KRAKEN. Learn more👇:https://t.co/jpJDOuCuNB pic.twitter.com/79EuibnCo9

— Resecurity® (@RESecurity) January 9, 2023

According to them, at least seven trading platforms — Yakudza, TomFord24, 24Deluxe, PNTS32, Flakka24, 24Cana and MapSTGK — released APK files of their own Android apps.

Experts suggested this was a response to last year’s law-enforcement actions, notably the closure of Hydra marketplace.

Mobile apps allow transmitting data about drug orders and sending the courier’s geographic coordinates of the stash. Information sharing across apps creates fragmentation and hampers law enforcement from tracking criminals.

Experts logged a breach affecting 3.5 million Mail.ru users

Data from one of Mail.ru’s services was made public. The Telegram channel “Info Leaks” reports on this.

The published database includes more than 3.5 million rows, including:

• nickname, first name, last name and user ID;
• email address on mail.ru domains, corp.mail.ru, bk.ru, inbox.ru and list.ru;
• mobile phone number.

In total, 1,647,711 unique phone numbers are in the database. A random check via the account.mail.ru password-recovery form confirmed that the leaked entries belong to real users.

Mail.ru said that users are not under threat and that the service is “secure.”

«The published data relate to a leak from a third-party resource in early 2022», — according to the company’s press service.

The company is investigating the incident.

Also on ForkLog:

• CoinMarketCap accused of conducting fake airdrops.
• CFTC filed a lawsuit against participant in the Mango Markets DeFi attack.
• Report: crypto industry losses from hacks in 2022 rose to $3.6B.
• Brother of Helix founder pleaded guilty to stealing 712 BTC.

What to read this weekend?

Read about DeFi hacks and scams in 2022 in ForkLog’s end‑of‑year piece.

Follow ForkLog’s bitcoin news in our Telegram — cryptocurrency news, prices and analysis.