A recent attack campaign has surfaced in India, which is designed to target individuals through popular messaging apps such as WhatsApp. The attack leverages two types of malware to contaminate Android gadgets.
The primary aim of this campaign is to compromise the victim’s device and collect sensitive data. Experts investigating the incident have connected the breach to DoNot APT, a threat actor group that has a track record of managing cyber espionage campaigns in South Asia.
This attack campaign is significant as it indicates that cyber criminals keep improving new methods and techniques to target unsuspecting victims.
Researchers at CYFIRMA have reported that the DoNot APT group has been utilizing either mediator file-sharing sites or a custom file-sharing platform to distribute malware. The malware, known as Ten Messenger[.]apk and Link Chat QQ[.]apk, is disguised as popular chat apps and uses Google’s Firebase as a command-and-control server.
To lure in victims, the attackers likely applied social engineering methods utilizing very known messengers, which are available for download, such as WhatsApp. Once the malicious apps are downloaded and installed, they prompt the user to enable Accessibility Services, continuously displaying alerts until the victim grants the requested permissions. This allows the malware to gain access to the device and carry out its malicious activities.
The Technical Aspects
The recent DoNot APT breach campaign is focusing on Android mobile devices utilizing various security measures to protect the malware source code. The attackers used the Pro Guard code obfuscator utility and two layers of encryption to make it challenging for security experts to analyze and detect the malware’s code.
By examining the malware’s Android manifest file, security experts have determined that the malware acquires various permissions, including network access, reading SMS messages, and recording audio.
By obtaining these permissions, the hackers can access the infected gadget, take over and collect sensitive information without the user’s knowledge. Moreover, the decryption of the malware’s strings involves the playstoree[.]xyz domain, which has been previously linked to DoNot APT’s attack infrastructure.
Users are Advised to be Careful While Downloading Software
Given DoNot APT’s history of carrying out cyber espionage attacks in South Asia, security experts suggest applying various steps of cyber security methods. These memethods include antivirus software, firewalls, intrusion detection systems, and regularly updating software and security measures to protect against known vulnerabilities.
Users must be very cautious when downloading applications from untrusted sources and take time to review what permissions the app requires before installing it.