The recent research by CYFIRMA unveils a sophisticated Android malware operation linked to the Indian APT group known as DONOT, which appears to be leveraging a seemingly innocuous application for malicious purposes. This group, believed to serve Indian national interests, is reportedly focused on intelligence gathering against internal threats, employing a customer engagement platform to mask its activities.
Overview of the malicious application
The application in question is named Tanzeem and Tanzeem Update, terms that resonate with organizations involved in terrorism and law enforcement in India. The name itself translates to “organization” in Urdu, hinting at its potential targets. The research team collected two samples of this app—one in October and another in December—finding them nearly identical with only minor user interface changes. Despite being marketed as a chat application, Tanzeem fails to function post-installation, crashing immediately after permissions are granted, which raises red flags about its true intentions.
Exploitation of push notification services
A notable aspect of this malware is its utilization of OneSignal, a widely used platform for sending notifications and messages. However, DONOT appears to be misusing this service to deliver phishing links through push notifications. This marks the first observed instance of this APT group employing OneSignal in their operations, indicating an evolution in their tactics. Upon installation, users are directed to a landing page that falsely presents chat functionalities, further deceiving victims.
Permissions and data access
The Tanzeem application requests several dangerous permissions that allow it to harvest sensitive data from users’ devices:
| Permission | Description |
|---|---|
| READ_CALL_LOG | Access call logs. |
| READ_CONTACTS | Access contact information. |
| READ_EXTERNAL_STORAGE | Explore files on the device. |
| WRITE_EXTERNAL_STORAGE | Delete or move files. |
| READ_SMS | Read and delete SMS messages. |
| ACCESS_FINE_LOCATION | Track precise user locations. |
| GET_ACCOUNTS | Extract email addresses and usernames. |
These permissions enable the threat actors to conduct extensive surveillance on users, posing significant risks to personal privacy and security.
Command-and-Control infrastructure
The research identified several command-and-control (C2) servers associated with the Tanzeem app, indicating an organized effort by DONOT to maintain control over infected devices. The presence of multiple domains used for communication suggests a robust infrastructure designed to facilitate ongoing operations.
Evolving tactics and future implications
The DONOT group’s tactics have evolved significantly, incorporating push notifications that not only facilitate the installation of additional malware but also ensure its persistence on targeted devices. This strategic shift highlights their commitment to enhancing their intelligence-gathering capabilities for national interests. As cybersecurity experts continue to monitor these developments, it is clear that the DONOT APT group remains a formidable threat within South Asia. Their persistent use of Android malware and adaptation of new technologies like OneSignal underscores the need for heightened vigilance among users and organizations alike.