Ddos 
The research team at CYFIRMA has uncovered an alarming Android malware campaign attributed to the Indian advanced persistent threat (APT) group known as DONOT. This campaign involves the use of two malicious applications, Tanzeem and Tanzeem Update, designed to exploit user trust and gather intelligence under the guise of legitimate chat apps. The malware reflects the group’s continued efforts to target specific individuals and organizations for strategic intelligence collection.
The apps, named Tanzeem—Urdu for “organization”—appear to be linked to terrorist and law enforcement groups operating within India, such as Jaish-e-Mohammad and Lashkar. However, instead of functioning as a real chat application, the apps shut down after the user grants them extensive permissions.
CYFIRMA noted, “The app’s name suggests that it is designed to target specific individuals or groups both inside and outside the country.” Both samples collected by researchers—one in October and another in December—were nearly identical, with only minor changes to the user interface.
The apps exploit a legitimate customer engagement tool, OneSignal, to send push notifications containing phishing links. According to CYFIRMA, “This is the first time we have observed this APT group utilizing” the OneSignal library.
The apps demand several dangerous permissions, enabling the attackers to:
- Access Call Logs: Read and fetch call history.
- Read Contacts: Harvest contact lists.
- Control File Storage: Delete, move, and explore files.
- Read SMS: Monitor incoming and outgoing messages.
- Track Location: Extract precise GPS data for real-time monitoring.
- Access User Accounts: Retrieve usernames and email addresses used for online services.
The malicious apps also connect to command-and-control (C2) servers via a hidden URL, ensuring attackers maintain remote access to the infected devices.
A key innovation in this campaign is the use of push notifications to spread additional malware. CYFIRMA’s report states, “The collected samples reveal a new tactic involving push notifications that encourage users to install additional Android malware, ensuring the persistence of the malware on the device.” This tactic enhances the malware’s ability to evade detection and remain active.
The DONOT APT group has a history of conducting intelligence-gathering operations across South Asia, often supporting Indian national interests. The research highlights the group’s persistent efforts: “The ongoing efforts by the notorious DONOT APT extend beyond gathering intelligence on internal threats; they have also targeted various organizations in South Asia.”
Their operations involve leveraging Android malware to infiltrate sensitive targets, ensuring continued data collection and strategic advantage.
CYFIRMA emphasizes, “The group’s relentless efforts suggest that their operations are far from over.” Organizations and individuals in South Asia, in particular, should remain vigilant and adopt stringent security measures to safeguard against these threats.
Related Posts:
- DONOT APT Group Targets Pakistan’s Maritime and Defense Sectors in New Campaign
- Rafel RAT Malware: A Growing Cybersecurity Threat to Android Devices
- Developing an Internal Communication Platform for Your Business
- Professional Goods & Services at Risk: Decoding CYFIRMA’s Cybersecurity Report
- New Android Banking Trojan Targets Indian Users Through Fake Apps
Donate