Individuals in the Pakistani region have been targeted using two malicious Android apps available on the Google Play Store as part of a new targeted campaign.
Cybersecurity firm Cyfirma has linked the campaign with moderate confidence to threat actors known as DoNot Team, who are also being traced as APT-C-35 and Viceroy Tiger.
The espionage activity involves tricking Android smartphone owners into downloading a program used to extract contact and location data from unwitting victims.
“The motive behind the attack was to collect information via the stager payload and use the collected information for the second stage of the attack, using malware with more destructive features,” the company said. said.
Don’t Tim is a suspected Indian communications threat actor who has a reputation for carrying out attacks against various countries in South Asia. It has been active since at least 2016.
Meanwhile an October 2021 report from Amnesty International linked the group’s attack infrastructure to Indian cybersecurity firm Innefu Labs, Group-IB, in February 2023, saying it had identified overlap between Team DoNot and SideWinder, another alleged Indian hacking crew.
The attack chain mounted by the group utilized spear-phishing emails containing decoy documents and files as bait to spread malware. In addition, threat actors are known to use Dangerous Android application that masquerade as legitimate utilities in their target attacks.
These applications, once installed, activate trojan behavior in the background and can remotely control the victim’s system, in addition to stealing confidential information from the infected device.
The latest batch of apps discovered by Cyfirma come from a developer called “Security Industry” and are considered VPN and chat apps, with the latter there still is to download from Play Store –
- iKHfaa VPN (com. securityapps. ikhfaavpn) – 10+ downloads
- Sure Chat (com. nSureChat. application) – 100+ downloads
The VPN app, which reuses source code taken from the original Liberty VPN product, is no longer hosted on the official app storefront, despite evidence showing that it is available no later than June 12, 2023.
The low number of downloads is an indication that the app is being used as part of a highly targeted operation, a hallmark of nation-state actors. Both apps are configured to trick victims into granting them invasive permissions to access their contact list and exact location.
Little is known about the victims targeted using the rogue app except for the fact that they are based in Pakistan. It is believed that users may have been approached via messages on Telegram and WhatsApp to lure them into installing the app.
By leveraging the Google Play Store as a malware distribution vector, the approach abuses the implicit trust placed by users in the online app market and gives it a sense of legitimacy. Therefore, it is important that the application is checked carefully before downloading it.
“It appears that this Android malware was specifically designed to gather information,” said Cyfirma. “By gaining access to a victim’s contact list and location, threat actors can strategize future attacks and use Android malware with advanced features to target and exploit victims.”