DoNot Team cybercriminal group linked to a new Android malware

The India-based advanced persistent threat group dubbed DoNot Team is being linked to a new Android malware used in highly targeted cyberattacks recently.

The APT group, also known as Origami Elephant and APT-C-35, has been active for nearly a decade now. Moreover, this cybercriminal organisation is notorious for targeting critical sectors, such as government and military institutions, foreign ministries, and embassies.

Some of the group’s most targeted countries commonly include Pakistan, Sri Lanka, Bangladesh, and other South Asian countries.

 

DoNot Team is the alleged new ‘Tanzeem’ Android malware operator.

 

The DoNot Team APT’s latest Android malware is dubbed “Tanzeem” and “Tanzeem Update, which means ‘organisation, in Urdu. The researchers initially discovered it in October and December last year, respectively.

In addition, both payloads employ the identical code, with just slight variations in the user interface. The researchers explained that the Tanzeem App simulates conversation functionality and prompts users to enable accessibility features. However, subtle changes appear in its variants, such as colour alterations.

On the other hand, the DoNot APT group has been discovered to misuse the OneSignal platform, which usually includes capabilities for sending push notifications, in-app messages, emails, and SMS. The group typically use these features in mobile and online applications.

The group uses OneSignal to send phishing links via alerts in this scenario. This technique marks a new step in the group’s methods, as it is the first time they have been detected using OneSignal for such campaigns.

The app also uses a feature that shuts down after receiving authorisation, and its name implies that it targets specific individuals or groups both domestically and internationally. Furthermore, a pop-up window prompts the user to enable accessibility access for the Tanzeem App after selecting “START CHAT.” The campaign then redirects users to the accessibility settings page.

The program can then harvest details such as phone records, contacts, SMS messages, precise locations, account information, and items saved on external storage. Additionally, the malicious code may potentially record the screen.

The DoNot APT targets South Asian companies for India’s strategic intelligence. It installs persistent Android malware via push notifications, indicating shifting tactics and ongoing operations.

Therefore, SEA-based organisations should improve their cybersecurity measures as they are the primary target of this APT group.