Superior persistent risk group “DONOT Staff” is leveraging two practically equivalent Android functions to conduct intelligence-gathering operations concentrating on people and teams in India who seem like of nationwide safety curiosity to the nation.
The “Tanzeem” and “Tanzeem Replace” apps purport to be chat apps however don’t work as marketed. As a substitute, as soon as put in on a system they immediate the consumer to activate the machine’s accessibility characteristic and grant entry to a number of simply misused permissions. The apps then shut down and proceed to stealthily harvest data from the compromised machine, based on researchers at Cyfirma, who just lately noticed the brand new DONOT marketing campaign.
Intelligence Gathering and Past
“The continued efforts by the infamous DONOT APT prolong past gathering intelligence on inside threats; they’ve additionally focused numerous organizations in South Asia,” Cyfirma famous in a weblog publish on Jan. 17. The aim seems to be to gather intelligence of strategic significance to India, the safety vendor mentioned.
Cyfirma’s evaluation of Tanzeem and Tanzeem Replace confirmed the apps utilizing OneSignal, a well-liked buyer engagement platform, to ship push notifications to customers who set up both app on their gadgets. OneSignal principally permits builders and companies to ship in-app messages, emails, and SMS messages to customers throughout cellular gadgets, Net browsers, desktop apps, and different platforms.
When a consumer installs Tanzeem or Tanzeem Replace on their machine, they obtain a push notification by way of OneSignal that prompts them to start out a pretend chat. Customers tricked into clicking on the “Begin Chat” immediate obtain a subsequent immediate asking them to allow Android accessibility companies to make use of the app. The sufferer is then directed to the accessibility settings web page from which the app accesses a number of harmful permissions. These embody permissions that permit the 2 malicious Android apps to learn and fetch name logs from the compromised machine; to learn and fetch contact data; and to seek for and fetch knowledge from the file supervisor.
Researchers at Cyfirma additionally discovered the apps to entry a number of different permissions akin to those who permit the risk actor to delete and browse each incoming and outgoing textual content messages. In addition they can entry the Android machine’s inside storage to extract its precise location and monitor its motion on a real-time foundation.
Considerably, Cyfirma discovered the malicious apps utilizing push notifications to try to get victims to put in extra malicious payloads on compromised gadgets to make sure persistence. “This tactic enhances the malware’s capability to stay energetic on the focused machine, indicating the risk group’s evolving intentions to proceed collaborating in intelligence gathering for nationwide pursuits,” Cyfirma famous.
A Persistent South Asian Risk
DONOT Staff, which some distributors monitor as APT-C-35, SectorE02, and Viceroy Tiger, is a risk group with a probable nexus to India that has been operational since no less than 2016. A number of distributors have related the group with assaults and knowledge theft campaigns concentrating on entities in South Asia. In November 2024, Cyble linked DONOT Staff to a marketing campaign concentrating on manufacturing firms in Pakistan related to the nation’s protection and maritime industries.
Others, akin to ESET have reported on DONOT Staff utilizing subtle Home windows and Android malware in espionage campaigns concentrating on organizations in Sri Lanka, Bangladesh, Pakistan, and Nepal. In 2023, Cyfirma reported discovering three malicious Android apps on Google’s Play retailer that the risk actor used towards focused people in Kashmir and Pakistan.
DONOT Staff is one in every of a number of APT teams believed to be working out of India that’s engaged in a variety of malicious actions, together with on-line extortion scams, hacktivism, and more and more, cyber espionage and surveillance. Safety specialists imagine that no less than among the exercise is tied to geopolitical tensions within the area and to a broader progress in every kind of cybercrime in South Asia lately.