OP 20 June, 2023 - 01:49 PM
(This post was last modified: 20 June, 2023 - 01:50 PM by RealThreat. Edited 2 times in total.)
![[Image: android.jpg]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fthehackernews.com%2Fnew-images%2Fimg%2Fb%2FR29vZ2xl%2FAVvXsEgHV1Iqz2Oc_ht4EceAirbsOb350FfDmJy9jVJr7HCD-GEYIa_gfXyKhvXTb8N88wke1NsZ83KcnWOBiV3RN6nDxAsRI1DTf4OzQlx_jSnQ6Mb2xezkhn1OfJ-aVn_C7QLfSyeRSAV00YCHMlN_JSwcZ4DSrkDzGfjJIPPsWV5S5-r1PzEkrMAp3Q2EAVc%2Fs728-e365%2Fandroid.jpg)
Individuals in the Pakistan region have been targeted using two rogue Android apps available on
the Google Play Store as part of a new targeted campaign.
the Google Play Store as part of a new targeted campaign.
Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as
DoNot Team, which is also tracked as APT-C-35 and Viceroy Tiger.
DoNot Team, which is also tracked as APT-C-35 and Viceroy Tiger.
The espionage activity involves duping Android smartphone owners into downloading a program that's used to
extract contact and location data from unwitting victims.
extract contact and location data from unwitting victims.
"The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack,
using malware with more destructive features," the company said.
using malware with more destructive features," the company said.
DoNot Team is a suspected India-nexus threat actor that has a reputation for carrying out attacks against various countries
in South Asia. It has been active since at least 2016.
in South Asia. It has been active since at least 2016.
While an October 2021 report from Amnesty International linked the group's attack infrastructure to an Indian cybersecurity company called Innefu Labs,
Group-IB, in February 2023, said it identified overlaps between DoNot Team and SideWinder, another hacking crew of likely Indian origin.
Group-IB, in February 2023, said it identified overlaps between DoNot Team and SideWinder, another hacking crew of likely Indian origin.
Attack chains mounted by the group leverage spear-phishing emails containing decoy documents and files as lures to spread malware. In addition, the threat actor is known to use malicious Android apps that masquerade as legitimate utilities in their target attacks.
These apps, once installed, activate trojan behavior in the background and can remotely control the victim's system,
besides pilfering confidential information from the infected devices.
besides pilfering confidential information from the infected devices.
![[Image: apps.jpg]](https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj7rWv7sOSk0yYRSmr2puYjgXJJw1xTx1iaf7p4dsWqHP6hFFtdqSk33rN0IfxPSZ0AP08s5cqOSfZ63wChavMedGFAVTKqaHC2JAUWjsm7J3uOeO94Rdubel2gG6U4AzvR3VtVMMdXIfqec4keQ3oRGNstKlnwz2262aIyJapT_1_XcbKjpuRkUYhvJiI/s728-e365/apps.jpg)
The latest set of applications discovered by Cyfirma originate from a developer named
"SecurITY Industry" and pass off as VPN and chat apps,
with the latter still available for download from the Play Store -
"SecurITY Industry" and pass off as VPN and chat apps,
with the latter still available for download from the Play Store -
- iKHfaa VPN (com.securityapps.ikhfaavpn) - 10+ downloads
- nSure Chat (com.nSureChat.application) - 100+ downloads
The VPN app, which reuses source code taken from the genuine Liberty VPN product, is no longer hosted
on the official app storefront, although
evidence shows that it was available as recently as June 12, 2023.
on the official app storefront, although
evidence shows that it was available as recently as June 12, 2023.
The low download counts is an indication that the apps are being used as part of a highly targeted operation, a hallmark
of nation-state actors. Both apps are
configured to trick the victims into granting them invasive permissions to access their contact lists and precise locations.
of nation-state actors. Both apps are
configured to trick the victims into granting them invasive permissions to access their contact lists and precise locations.
Little is known about the victims targeted using the rogue apps barring the fact that they are based in Pakistan. It's believed that users may have been
approached via messages on Telegram and WhatsApp to lure them into installing the apps.
approached via messages on Telegram and WhatsApp to lure them into installing the apps.
By utilizing the Google Play Store as a malware distribution vector, the approach abuses the implicit trust placed by users on the online app marketplace and lends it an air
of legitimacy. It's, therefore, essential that apps are carefully scrutinized prior to downloading them.
of legitimacy. It's, therefore, essential that apps are carefully scrutinized prior to downloading them.
"It appears that this Android malware was specifically designed for information gathering," Cyfirma said. "By gaining access to victims' contact lists and locations,
the threat actor can strategize future attacks and employ Android malware with advanced features to target and exploit the victims."
the threat actor can strategize future attacks and employ Android malware with advanced features to target and exploit the victims."