New Android Malware Linked to DoNot Team
The hacking group known as the DoNot Team has been associated with a new strain of malware targeting Android devices, contributing to highly focused cyber assaults.
Malware Overview
Two pieces of malware, identified as Tanzeem (which translates to “organization” in Urdu) and Tanzeem Update, were discovered by the cybersecurity firm Cyfirma in October and December of 2024. Both apps exhibit similar functionalities, with minor variations in their user interfaces.
Malfunctioning Chat Application
According to Cyfirma’s analysis, although the application is designed to function as a chat service, it crashes upon installation after necessary permissions are granted. The naming of the app implies that its creators may have aimed at targeting specific individuals or groups, both domestically and internationally.
Background of DoNot Team
Also recognized as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, the DoNot Team is a reputed hacking collective thought to originate from India. The group has a history of employing spear-phishing tactics and Android malware to extract sensitive information from targeted victims.
Targeted Individuals and Intentions
While the precise targets of this latest malware campaign remain unclear, it is suspected that it is aimed at specific individuals for intelligence-gathering purposes related to internal threats. The app’s use of OneSignal, a well-known customer engagement framework, raises concerns that it may be exploited to deliver phishing notifications that lead to malware installation.
Malware Features and Techniques
The malicious Android application presents a deceptive chat interface and entices users to click a “Start Chat” button, which then prompts them to grant access to the accessibility services API. This access enables the app to conduct various harmful activities, including gathering sensitive information such as call logs, contact lists, SMS messages, precise location data, and external storage files. Additionally, the app has capabilities for screen recording and establishing connections to command-and-control servers.
Enhancing Malware Persistence
According to Cyfirma, the discovered malware employs a new strategy involving push notifications that encourage users to install further Android malware, thereby ensuring its ongoing presence on the device. This tactic reflects the threat group’s evolving objectives in collecting intelligence for national interests.
Google’s Response
In response to the findings, a spokesperson from Google stated that there are currently no known instances of this malware available on Google Play. Users are safeguarded by Google Play Protect, which automatically activates on Android devices with Google Play Services. This feature can alert users and block apps exhibiting malicious behavior, regardless of their source.
