DoNot Team Unveils Stealthy Android Malware: Targeted Spyware Campaigns Evolve with New Tactics
The cyber threat actor known as the DoNot Team has been linked to a new strain of Android malware, discovered as part of highly targeted cyberattacks. Cybersecurity firm Cyfirma identified these malicious apps, named Tanzeem (meaning "organization" in Urdu) and Tanzeem Update, in October and December 2024
The cyber threat actor known as the DoNot Team has been linked to a new strain of Android malware, discovered as part of highly targeted cyberattacks. Cybersecurity firm Cyfirma identified these malicious apps, named Tanzeem (meaning "organization" in Urdu) and Tanzeem Update, in October and December 2024. Both apps share nearly identical functionality, with only minor differences in their user interfaces.
Despite being presented as chat applications, the apps fail to function post-installation, shutting down immediately after obtaining the required permissions. Cyfirma noted that the app's name and design suggest it is intended to target specific individuals or groups both domestically and internationally.
DoNot Team, also known as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is an Indian-origin hacking group known for using spear-phishing emails and Android malware to gather sensitive information. In October 2023, the group was connected to Firebird, a previously undocumented .NET-based backdoor that targeted a limited number of victims in Pakistan and Afghanistan.
Although the specific targets of the newly discovered malware remain unclear, the apps appear to be designed for intelligence gathering, focusing on internal threats. A distinctive feature of these malicious Android applications is their exploitation of OneSignal, a popular platform used for sending notifications, in-app messages, emails, and SMS. Cyfirma suggested that OneSignal might be misused to deliver phishing links that lead to malware downloads.
Upon installation, the app displays a fake chat screen and prompts users to click a "Start Chat" button. This action triggers a message instructing the user to grant permissions for the accessibility services API, enabling the app to carry out malicious activities. The app also seeks access to sensitive permissions, including call logs, contacts, SMS messages, location data, account information, and external storage files. Additional functionalities include screen recording and connections to a command-and-control (C2) server.
Cyfirma’s analysis highlights a new tactic employed by the malware: leveraging push notifications to encourage users to install additional malicious apps. This approach helps ensure the malware’s persistence on the device. The evolving techniques underscore the threat actor's intentions to bolster intelligence-gathering operations for national purposes.
