Introduction
A sophisticated Android malware campaign has been identified [3], targeting users in South A [7]sia [3], particularly in the Kashmir region of India [3]. This campaign involves a malicious application named “Tanzeem,” attributed to the Indian Advanced Persistent Threat (APT) group known as the DoNot Team. The app is designed for intelligence gathering against specific individuals and groups, posing significant security risks.
Description
A sophisticated Android malware campaign has been uncovered [3], targeting users in South Asia [3], particularly in the Kashmir region of India [3]. A malicious application named “Tanzeem,” which translates to “organization” in Urdu [6], has been attributed to the Indian Advanced Persistent Threat (APT) group DoNot Team (also known as APT-C-35 and Origami Elephant). This app [4] [5] [7], disguised as a legitimate messaging platform, is primarily designed for intelligence gathering against specific individuals and groups, including those potentially linked to terrorist organizations [4] [5]. It was first detected in October and December 2024 by the cybersecurity company Cyfirma [6].
Active since 2016 [7], the DoNot group primarily focuses on government and military organizations, as well as ministries of foreign affairs and embassies in South Asian countries [7], including India [4] [5] [7], Pakistan [7], Sri Lanka [7], and Bangladesh [7]. The two variants of the app, “Tanzeem” and “Tanzeem Update,” exhibit identical functions, with only minor modifications noted in their user interfaces. However, once installed, the app fails to function as intended until users grant extensive permissions, which allow attackers to access sensitive data and device functions.
Key permissions sought by the app include:
- Read Call Logs: Accessing and extracting call records
- Read SMS: Intercepting text messages
- Access Fine Location: Tracking live device movement
- External Storage Access: Exploring [5], modifying [4] [5], and transferring files
The app simulates chat functionality and requires users to enable accessibility access, which directs them to the settings page [7]. This tactic indicates a focus on specific targets both domestically and internationally [7]. Additionally, the app exploits OneSignal [4] [5], a legitimate customer engagement platform [4] [5], to deliver phishing links via push notifications [7], enticing users to install additional malware and enhancing the persistence of the malicious software on targeted devices [2].
Data collected by the app [4] [5], including call logs [4] [5], contact lists [4] [5], SMS messages [7], precise location data [7], account information [7], and files from external storage [7], is sent to command-and-control (C2) servers via Appspot domains [4] [5]. The app is also capable of recording screens and capturing sensitive input [5], such as passwords and video, utilizing obfuscated code and keystroke capture techniques to evade traditional security measures.
The DoNot group’s activities extend beyond internal surveillance [5], actively targeting government and military organizations in South Asia with evolving techniques to maintain their operations. The group is engaged in ongoing cyberattacks [5], and the cybersecurity community is aware of their efforts [5]. Several domains and SHA-256 hashes linked to the malware have been identified [5], including:
- toolgpt[buzz [4] [5]] (C2 domain)
- Solarradiationneutron[appspot [4] [5]] com [1]
- SHA-256 hash: 8689D59AAC223219E0FDB7886BE289A9536817EB6711089B5DD099A1E580F8E4
As the DoNot group continues to evolve [5], further modifications in their tactics are expected [4] [5], enhancing their ability to maintain persistence in future cyberattacks using Android malware [5]. Users are advised to exercise caution when installing new apps [3], especially those requesting extensive permissions [3], and organizations in the targeted regions should implement robust security measures to protect against this evolving threat [3]. The situation underscores the necessity for improved security protocols on Android devices, particularly in high-risk environments such as government and corporate sectors.
Conclusion
The discovery of the “Tanzeem” malware campaign highlights the ongoing threat posed by the DoNot Team, particularly to government and military organizations in South Asia [3]. The campaign’s sophisticated tactics, including the exploitation of legitimate platforms and the collection of sensitive data, underscore the need for heightened vigilance and robust security measures. As the DoNot group continues to adapt and refine its methods, it is crucial for users and organizations to remain cautious and proactive in safeguarding their digital environments. Enhanced security protocols and awareness are essential to mitigate the risks associated with such advanced cyber threats.
References
[1] https://www.matricedigitale.it/sicurezza-informatica/apt-donot-malware-android/
[2] https://www.cyfirma.com/research/android-malware-in-donot-apt-operations/
[3] https://cybersecuritynews.com/new-android-malware-mimics-chat-app/
[4] https://osintcorp.net/indian-apt-group-donot-misuses-app-for-intelligence-gathering/
[5] https://www.infosecurity-magazine.com/news/indian-apt-group-donot-app/
[6] https://ciso2ciso.com/donot-team-linked-to-new-tanzeem-android-malware-targeting-intelligence-collection-sourcethehackernews-com/
[7] https://securityaffairs.com/173257/apt/donot-team-android-malware.html
