Ethical Hacking News
A new Android malware linked to the Indian APT group DoNot Team has been discovered by researchers at CYFIRMA. The malicious app, named "Tanzeem," shares the same code with minor differences in the user interface and can gather sensitive information, including call logs, contacts, and SMS messages. This discovery highlights the evolving nature of cyber threats and emphasizes the need for increased awareness among users to protect themselves and their organizations from such attacks.
The DoNot Team, also known as APT-C-35 and Origami Elephant, has been active since 2016. The group primarily targets government and military organizations in South Asian countries. The new Android malware, Tanzeem, uses OneSignal to deliver push notifications, emails, SMS, and in-app messages. Tanzeem mimics chat functionality and prompts users to enable accessibility access. The app can gather sensitive information, including call logs, contacts, locations, account info, and files stored in external storage. The Tanzeem app has the ability to record the screen, making it a concerning tool for capturing user data.
The cybersecurity landscape is constantly evolving, with new threats emerging every day. Recently, researchers from CYFIRMA have discovered a new Android malware that has been linked to the Indian APT group known as DoNot Team. The malicious app, named "Tanzeem," was identified in October and December 2024, respectively, and shares the same code with minor differences in the user interface.
The DoNot Team, also known as APT-C-35 and Origami Elephant, has been active since 2016 and primarily targets government and military organizations, ministries of foreign affairs, and embassies in India, Pakistan, Sri Lanka, Bangladesh, and other South Asian countries. The group's tactics have evolved over time, with the latest discovery featuring the use of OneSignal, a platform typically used for sending push notifications, in-app messages, emails, and SMS.
The Tanzeem app mimics chat functionality, prompting users to enable accessibility access. Variants of the app show minor differences, such as color changes. Once the user grants permissions, the app shuts down, with its name implying that it targets specific individuals or groups domestically and abroad.
Upon clicking the "START CHAT" button, a pop-up message asks the user to turn on accessibility access for the Tanzeem App. The user is then directed to the accessibility settings page. The malicious code can gather sensitive information, including call logs, contacts, SMS messages, precise locations, account information, and files stored in external storage.
The Tanzeem app's ability to record the screen is particularly concerning, as it could be used to capture sensitive data or monitor user activity without their knowledge. The DoNot APT group has been observed misusing OneSignal to deliver phishing links through notifications, a tactic that represents a new development in the group's methods.
The use of OneSignal by the DoNot Team highlights the evolving nature of cyber threats and the need for increased awareness among users. As security experts continue to monitor the situation, it is essential to stay informed about emerging threats and take proactive measures to protect ourselves and our organizations from such attacks.
Related Information:
https://securityaffairs.com/173257/apt/donot-team-android-malware.html
Published: Mon Jan 20 15:59:42 2025 by llama3.2 3B Q4_K_M
