The Risk actor referred to as DoNot Workforce has been linked to a brand new Android malware as a part of extremely focused cyber assaults.
The artifacts in query, named Tanzeem (which means “group” in Urdu) and Tanzeem Replace, have been noticed in October and December 2024 by cybersecurity firm Cyfirma. The apps in query have been discovered to include an identical features, barring minor modifications to the person interface.
“Though the app is meant to operate as a chat utility, it doesn’t work as soon as put in, shutting down after the required permissions are granted,” Cyfirma famous in a Friday evaluation. “The app’s identify means that it’s designed to focus on particular people or teams each inside and outdoors the nation.”
DoNot Workforce, additionally tracked as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is a hacking group believed to be of Indian origin, with historic assaults leveraging spear-phishing emails and Android malware households to assemble data of curiosity.
In October 2023, the risk actor was linked to a beforehand undocumented .NET-based backdoor referred to as Firebird focusing on a handful of victims in Pakistan and Afghanistan.
It is at present not clear who the precise targets of the newest malware have been, though it is suspected that they have been used towards particular people with the purpose of gathering intelligence gathering towards inner threats.
A notable facet of the malicious Android app is using OneSignal, a preferred buyer engagement platform utilized by organizations to ship push notifications, in-app messages, emails, and SMS messages. Cyfirma theorized that the library is being abused to ship notifications containing phishing hyperlinks that result in malware deployment.
Whatever the distribution mechanism used, the app shows a faux chat display screen upon set up and urges the sufferer to click on a button named “Begin Chat.” Doing so triggers a message that instructs the person to grpermissionions to the accessibility providers API, thus permitting it to carry out varied nefarious actions.
The app additionally requests entry to a number of delicate permissions that facilitate the gathering of name logs, contacts, SMS messages, exact places, account data, and recordsdata current in exterior storage. A few of the different options embody capturing display screen recordings and establishing connections to a command-and-control (C2) server.
“The collected samples reveal a brand new tactic involving push notifications that encourage customers to put in further Android malware, making certain the persistence of the malware on the gadget,” Cyfirma mentioned.
“This tactic enhances the malware’s means to stay lively on the focused gadget, indicating the risk group’s evolving intentions to proceed collaborating in intelligence gathering for nationwide pursuits.”
