The Advanced Persistent Threat (APT) group known as DoNot, or APT-C-35, has intensified its cyber-espionage activities by deploying malicious Android applications targeting users in India, particularly in the Kashmir region. These applications masquerade as legitimate services, such as chat platforms and Virtual Private Network (VPN) tools, to infiltrate devices and exfiltrate sensitive data.
Recent investigations have uncovered several malicious applications attributed to the DoNot group:
Tanzeem
Disguised as a chat application, Tanzeem requests extensive permissions upon installation, including access to call logs, contacts, SMS messages, file storage, and precise location data. Once installed, the app ceases to function as a chat platform and instead operates as spyware, collecting and transmitting user data to the attackers.
nSure Chat and iKHfaa VPN
These applications were previously available on the Google Play Store under the developer name “SecurITY Industry.” They requested permissions atypical for their purported functions, such as access to contact lists and precise location data. Analysis revealed that these apps exfiltrated collected data to command-and-control servers operated by the DoNot group.
The DoNot group employs sophisticated methods to maintain persistence and evade detection:
- Abuse of Legitimate Services: The group leverages platforms like OneSignal to send phishing links through push notifications, enhancing the malware’s persistence on infected devices.
- Extensive Permissions Abuse: Upon installation, the malicious apps request a wide range of permissions, including access to call logs, contacts, SMS messages, file storage, precise location data, and the ability to extract emails and usernames used for logging into various internet platforms. This extensive access allows the malware to comprehensively monitor and exfiltrate user data.
- Obfuscation and Encryption: The malware employs obfuscation techniques to hide malicious code within the APK and uses encryption methods to secure communication with command-and-control servers, complicating detection and analysis efforts.
Recommendations for Users
- Exercise Caution with App Downloads: Download applications only from official and reputable sources. However, remain vigilant, as some malicious apps have previously bypassed security checks and appeared on the Google Play Store.
Cyfirma - Review App Permissions: Carefully examine the permissions requested by applications during installation. Be wary of apps requesting access to data or functions unrelated to their intended purpose.
- Maintain Updated Security Software: Use reputable mobile security solutions to detect and prevent malware infections. Regularly update these applications to ensure they can identify the latest threats.
- Stay Informed: Keep abreast of the latest security advisories and reports from credible cybersecurity organizations to be aware of emerging threats and attack vectors.
The DoNot APT group’s deployment of malicious Android applications underscores the evolving tactics of cyber-espionage actors targeting users in India. By disguising malware as legitimate applications and distributing them through trusted platforms, these actors increase the likelihood of successful infections. Users must exercise caution, remain informed, and adopt robust security practices to safeguard their personal information and privacy.
