Superior persistent risk group “DONOT Crew” is leveraging two practically similar Android purposes to conduct intelligence-gathering operations focusing on people and teams in India who seem like of nationwide safety curiosity to the nation.
The “Tanzeem” and “Tanzeem Replace” apps purport to be chat apps however don’t work as marketed. As a substitute, as soon as put in on a system they immediate the consumer to activate the system’s accessibility function and grant entry to a number of simply misused permissions. The apps then shut down and proceed to stealthily harvest data from the compromised system, in accordance with researchers at Cyfirma, who not too long ago noticed the brand new DONOT marketing campaign.
Intelligence Gathering and Past
“The continuing efforts by the infamous DONOT APT prolong past gathering intelligence on inside threats; they’ve additionally focused numerous organizations in South Asia,” Cyfirma famous in a weblog submit on Jan. 17. The objective seems to be to gather intelligence of strategic significance to India, the safety vendor stated.
Cyfirma’s evaluation of Tanzeem and Tanzeem Replace confirmed the apps utilizing OneSignal, a preferred buyer engagement platform, to ship push notifications to customers who set up both app on their units. OneSignal principally permits builders and companies to ship in-app messages, emails, and SMS messages to customers throughout cell units, Internet browsers, desktop apps, and different platforms.
When a consumer installs Tanzeem or Tanzeem Replace on their system, they obtain a push notification through OneSignal that prompts them to begin a faux chat. Customers tricked into clicking on the “Begin Chat” immediate obtain a subsequent immediate asking them to allow Android accessibility companies to make use of the app. The sufferer is then directed to the accessibility settings web page from which the app accesses a number of harmful permissions. These embody permissions that permit the 2 malicious Android apps to learn and fetch name logs from the compromised system; to learn and fetch contact data; and to seek for and fetch knowledge from the file supervisor.
Researchers at Cyfirma additionally discovered the apps to entry a number of different permissions akin to people who permit the risk actor to delete and browse each incoming and outgoing textual content messages. In addition they can entry the Android system’s inside storage to extract its precise location and monitor its motion on a real-time foundation.
Considerably, Cyfirma discovered the malicious apps utilizing push notifications to try to get victims to put in extra malicious payloads on compromised units to make sure persistence. “This tactic enhances the malware’s capacity to stay lively on the focused system, indicating the risk group’s evolving intentions to proceed collaborating in intelligence gathering for nationwide pursuits,” Cyfirma famous.
A Persistent South Asian Risk
DONOT Crew, which some distributors monitor as APT-C-35, SectorE02, and Viceroy Tiger, is a risk group with a probable nexus to India that has been operational since no less than 2016. A number of distributors have related the group with assaults and knowledge theft campaigns focusing on entities in South Asia. In November 2024, Cyble linked DONOT Crew to a marketing campaign focusing on manufacturing corporations in Pakistan related to the nation’s protection and maritime industries.
Others, akin to ESET have reported on DONOT Crew utilizing subtle Home windows and Android malware in espionage campaigns focusing on organizations in Sri Lanka, Bangladesh, Pakistan, and Nepal. In 2023, Cyfirma reported discovering three malicious Android apps on Google’s Play retailer that the risk actor used towards focused people in Kashmir and Pakistan.
DONOT Crew is one in all a number of APT teams believed to be working out of India that’s engaged in a variety of malicious actions, together with on-line extortion scams, hacktivism, and more and more, cyber espionage and surveillance. Safety consultants consider that no less than among the exercise is tied to geopolitical tensions within the area and to a broader development in all types of cybercrime in South Asia lately.
