HQ/EMEAFind out how we can help your business
The DoNot hacking group has allegedly used three Android applications to harvest information from targeted devices. Based on reports, the malicious applications contain spyware that could collect data, such as contact lists and location data.
Researchers explained that the operation is from the earlier mentioned Indian hacking group notorious for targeting high-profile organisations in Southeast Asia since 2018.
There are two confirmed applications that the DoNot hacking group uses for their attacks.
DoNot hacking group uploaded two confirmed apps from SecurITY Industry. These apps are called nSure Chat and iKHfaa VPN.
Both applications, along with an unconfirmed third app, do not appear to be malicious. Hence, the apps stayed available on Google Play Store. The total downloads for all SecurITY Industry applications are low, implying that the apps target specific users.
The researchers said that the confirmed apps ask for risky permissions upon installation. The apps request permission such as access to contact list and location data. The applications then exfiltrate these details to an attacker-controlled server. Moreover, the target’s GPS needs to be active so the app can fetch the last known device location.
The app could also store the collected information locally using Android’s ROOM library and later send it to the attacker’s command-and-control server through an HTTP request. The command-and-control for the VPN application is https[:]ikhfaavpn[.]com. On the other hand, nSure Chat’s server address was from a Cobalt Strike operation last year.
Threat analysts also found that the code base of the threat actors’ VPN app is from the legit Liberty VPN product.
These researchers confidently attributed the malicious apps to the DoNot threat group since it used similar encrypted strings utilising the AES/CBC/PKCS5PADDING algorithm and Proguard obfuscation.
Threat analysts claimed that these threat actors had shifted their tactics from sending phishing emails with malicious attachments to publishing malicious applications containing malware.
Users should refrain from downloading sketchy applications that request risky permissions. Moreover, users should be aware of new applications with fewer downloads and reviews to avoid installing malicious entities, such as spyware.
