Trending

News

New Android Malware Disguised as Chat App Targets Sensitive Data

Listen to this article

A sophisticated Android malware campaign targeting users in South Asia, particularly in India’s Kashmir region, has been uncovered by cybersecurity researchers at Cyfirma.

The malware, masquerading as a chat application named “Tanzeem,” has been linked to the advanced persistent threat (APT) group ‘DONOT,’ which is believed to operate in alignment with Indian national interests.

Disguised as a legitimate chat platform, the malicious app becomes non-functional after installation. Instead, it requests extensive permissions to access sensitive user data and device functionalities. Researchers identified two similar samples in October and December 2024, indicating an ongoing operation.

“Tanzeem,” meaning “organization” in Urdu—a term often associated with terrorist groups and law enforcement agencies in the region—suggests the malware is targeting specific individuals or groups both within and outside India.

Technical Analysis

The malware leverages OneSignal, a widely used customer engagement platform, in a novel manner for this APT group. Cyfirma researchers believe the attackers misuse OneSignal to distribute phishing links via push notifications, increasing the malware’s persistence on infected devices.

The technical breakdown reveals the app requests high-risk permissions, including access to call logs, contacts, SMS messages, file storage, and precise location data. It also seeks the ability to extract email credentials and usernames associated with various online platforms.

Advanced evasion tactics, such as code obfuscation, allow the malware to hide malicious components within the APK file. Its capabilities include file enumeration, keystroke logging, system information collection, and screen recording.

Cyfirma identified several indicators of compromise, including the malware file’s SHA-256 hash: 8689D59AAC223219E0FDB7886BE289A9536817EB6711089B5DD099A1E580F8E4, as well as command-and-control domains like toolgpt[.]buzz and updash[.]info.

Context and Recommendations

The DONOT APT group is known for targeting government and military organizations across South Asia. This campaign highlights their evolving tactics and sustained focus on the region.

Cybersecurity experts caution that the group will likely continue refining its methods to enhance persistence in future attacks. Users are advised to be cautious when installing new applications, particularly those demanding excessive permissions.

Organizations in the targeted regions should implement robust security measures and maintain heightened vigilance to mitigate the risks posed by this evolving threat.
Cyberkitera

Cyberkitera is a premier cybersecurity publishing platform dedicated to providing the latest insights, expert security tips, and news across all areas of cybersecurity. Our mission is to empower individuals and businesses with knowledge to prevent cyber threats, stay informed about emerging trends, and safeguard their digital assets. From industry updates to practical advice on protecting against cyber attacks, Cyberkitera is your trusted source for staying ahead in the ever-evolving world of cybersecurity.

view all posts

Related Posts

Post Comment

You May Have Missed