FlagThis

The DONOT APT group has been identified deploying malicious Android applications, "Tanzeem" and "Tanzeem Update," targeting individuals and groups within India. These apps are disguised as legitimate chat applications, but fail to function as such. Once installed, they prompt users to enable accessibility features, granting the apps access to sensitive permissions. The applications proceed to stealthily harvest information from the device. Researchers at Cyfirma discovered this new DONOT campaign and noted these operations are focused on gathering intelligence of strategic importance to India.

Cyfirma’s analysis shows the malicious apps are using the OneSignal customer engagement platform to send push notifications. These notifications trick users into enabling accessibility permissions. Once enabled, the apps gain access to call logs, contact information, and files on the compromised device. The DONOT group appears to target specific individuals or groups of national security interest. The researchers also noted that the same techniques used in this campaign, have been previously seen in other applications used by this group in the past. The information suggests the campaign may involve internal and external intelligence gathering.

ImgSrc: eu-images.conte

References :

• ciso2ciso.com: DONOT Group Deploys Malicious Android Apps in India
• ciso2ciso.com: Advanced persistent threat group “DONOT Team” is leveraging two nearly identical Android applications to conduct intelligence-gathering operations targeting individuals and groups in India who appear to be of national security interest to the country.

Classification:

• HashTags: #AndroidMalware #DONOTAPT #Espionage
• Company: DONOT Group
• Target: Indian Individuals
• Attacker: DONOT Group
• Product: Android Apps
• Feature: Android Malware
• Malware: Tanzeem
• Type: Malware
• Severity: Major