Individuals in the Pakistan region have been targeted using two malicious Android apps available on the Google Play store as part of a new targeted campaign.
Cybersecurity firm Cyfirma believes with some confidence that this campaign is by a threat actor known as DoNot Team, also tracked as APT-C-35 and Viceroy Tiger.
This espionage involves tricking Android smartphone owners into downloading a program used to extract contact and location data from victims without their knowledge.
“The motive behind the attack is to collect information via the stager payload and use the collected information in a second stage attack using malware with more destructive capabilities,” the company said.
DoNot Team is an actor allegedly associated with India who is known to carry out attacks against various South Asian countries. Active since at least 2016.
An October 2021 report by Amnesty International linked the group’s attack infrastructure to an Indian cybersecurity firm called Innefu Labs, but in February 2023 Group IB linked DoNot Team and another Indian hacker. It announced that it identified an overlap with SideWinder, which is said to be a group.
The attack chain set up by this group utilizes spear-phishing emails containing decoy documents and files as decoys to spread malware. Additionally, this threat actor is known to use malicious Android apps disguised as legitimate utilities in targeted attacks.
Once installed, these apps can launch Trojan operations in the background and steal sensitive information from the infected device as well as remotely control the victim’s system.
The latest set of applications discovered by Cyfirma is from a developer named “SecurITY Industry” disguised as a VPN and chat app, the latter still available for download from the Play Store.
- iKHfaa VPN (com.securityapps.ikhfaavpn) – 10+ downloads
- nSure Chat (com.nSureChat.application) – 100+ downloads
The VPN app, which reuses the source code taken from the genuine Liberty VPN product, is not hosted on the official app storefront, although evidence indicated it was available as recently as June 12, 2023. It has been.
The low number of downloads indicates that the app is being used as part of highly targeted operations that are characteristic of nation-state actors. Both apps are configured to trick victims into giving them intrusive permissions to access their contact lists and precise location information.
Little is known about the victims targeted using the rogue apps, other than the fact that they are based in Pakistan. It is believed that they may have approached users through Telegram and WhatsApp messages and encouraged them to install the app.
By leveraging the Google Play Store as a malware distribution vector, this approach exploits the implicit trust that users place in online app marketplaces and lends an air of legitimacy. Therefore, it is important to carefully scrutinize any app before downloading it.
“This Android malware appears to have been designed specifically for information gathering,” said Cyfirma. “By accessing the victim’s contact list and location information, the attacker can strategize future attacks and leverage his advanced Android malware to target and abuse the victim. I can.”
