A targeted campaign has been uncovered, specifically targeting individuals in Pakistan through two deceptive Android apps found on the Google Play Store. The campaign has been attributed to a threat actor known as DoNot Team or APT-C-35. The main objective of this attack is to collect personal data from unsuspecting victims by disguising a malicious program as a legitimate app. The extracted information, including contact details and location data, is likely intended for future attacks involving more destructive malware.
Based on technical analysis, it has been determined that the primary objective of the attack is to gather information using a stager payload. This collected information is likely intended for use in a second-stage attack, which would involve deploying malware with more destructive capabilities.
DoNot Team, a suspected threat actor with connections to India, has been active in carrying out cyber attacks in South Asian countries since 2016. Their tactics involve using spear-phishing emails with misleading documents and deploying malicious Android apps to propagate their malware. Once installed on a victim’s device, these apps enable remote control capabilities and the theft of confidential information.
The recently discovered rogue apps, named iKHfaa VPN and nSure Chat, were developed by “SecurITY Industry” and masquerade as VPN and chat apps. While the VPN app is no longer available on the Play Store, evidence suggests it was accessible until June 12, 2023. The low download counts indicate a highly targeted operation, likely conducted by a nation-state actor. The apps trick users into granting invasive permissions to access their contact lists and precise locations.
The victims targeted by these rogue apps are mainly located in Pakistan. It is believed that users may have been approached through Telegram and WhatsApp messages to lure them into installing the apps. By utilizing the Google Play Store as a distribution channel, the threat actors exploit the trust users place in the platform, making the apps appear legitimate. It is crucial to carefully scrutinize apps before downloading them to avoid falling victim to such attacks.
The purpose of this Android malware is primarily information gathering, allowing the threat actor to strategize future attacks and employ advanced Android malware to exploit the victims.
“It appears that this Android malware was specifically designed for information gathering. By gaining access to victims’ contact lists and locations, the threat actor can strategize future attacks and employ Android malware with advanced features to target and exploit the victims”, researchers conclude.