Individuals in the Pakistan region have been targeted using two rogue Android apps available on the Google Play Store as part of a new targeted campaign.
Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as DoNot Team, which is also tracked as APT-C-35 and Viceroy Tiger.
The espionage activity involves duping Android smartphone owners into downloading a program that’s used to extract contact and location data from unwitting victims.
“The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features,” the company said.
DoNot Team is a suspected India-nexus threat actor that has a reputation for carrying out attacks against various countries in South Asia. It has been active since at least 2016.
While an October 2021 report from Amnesty International linked the group’s attack infrastructure to an Indian cybersecurity company called Innefu Labs, Group-IB, in February 2023, said it identified overlaps between DoNot Team and SideWinder, another suspected Indian hacking crew.
Attack chains mounted by the group leverage spear-phishing emails containing decoy documents and files as lures to spread malware. In addition, the threat actor is known to use malicious Android apps that masquerade as legitimate utilities in their target attacks.
These apps, once installed, activate trojan behavior in the background and can remotely control the victim’s system, besides pilfering confidential information from the infected devices.
The latest set of applications discovered by Cyfirma originate from a developer named “SecurITY Industry” and pass off as VPN and chat apps, with the latter still available for download from the Play Store –
- iKHfaa VPN (com.securityapps.ikhfaavpn) – 10+ downloads
- nSure Chat (com.nSureChat.application) – 100+ downloads
The VPN app, which reuses source code taken from the genuine Liberty VPN product, is no longer hosted on the official app storefront, although evidence shows that it was available as recently as June 12, 2023.
The low download counts is an indication that the apps are being used as part of a highly targeted operation, a hallmark of nation-state actors. Both apps are configured to trick the victims into granting them invasive permissions to access their contact lists and precise locations.
Little is known about the victims targeted using the rogue apps barring the fact that they are based in Pakistan. It’s believed that users may have been approached via messages on Telegram and WhatsApp to lure them into installing the apps.
By utilizing the Google Play Store as a malware distribution vector, the approach abuses the implicit trust placed by users on the online app marketplace and lends it an air of legitimacy. It’s, therefore, essential that apps are carefully scrutinized prior to downloading them.
“It appears that this Android malware was specifically designed for information gathering,” Cyfirma said. “By gaining access to victims’ contact lists and locations, the threat actor can strategize future attacks and employ Android malware with advanced features to target and exploit the victims.”