29/68 Wednesday, January 22, 2025
Cybersecurity researchers from CYFIRMA have uncovered new Android malware named Tanzeem and Tanzeem Update. The malware is linked to an Indian APT group known as the DoNot Team or APT-C-35, which primarily targets government organizations, military agencies, foreign ministries, and embassies in South Asian countries such as India, Pakistan, Sri Lanka, and Bangladesh.
The Tanzeem malware was first detected in October and December 2024. It disguises itself as a legitimate application mimicking chat functions and prompts users to grant system access permissions. Once these permissions are granted, the app gains access to sensitive data, including call logs, contacts, SMS messages, location, account information, and files stored on external storage. It can also capture screenshots to gather additional critical information. Notably, the app shuts down immediately after obtaining the required permissions, underscoring the attackers’ deliberate intent to target specific victims.
The group employs new techniques to execute phishing attacks, leveraging the OneSignal platform—commonly used for delivering notifications, in-app messages, emails, and SMS—to distribute phishing links to their targets. This is the first recorded instance of an APT group using OneSignal as an attack tool. When a target clicks the “Start Chat” option, the app redirects them to a settings page to enable access permissions, after which it begins collecting data covertly.
The DoNot Team focuses on organizations in South Asia to gather strategic intelligence, particularly related to India. Their recent activities highlight the group’s persistence and evolution, as evidenced by the adoption of new techniques to enhance operational capabilities. According to reports, the DoNot Team continues to adapt and develop new cyberattack strategies, signaling ongoing efforts to strengthen their capabilities in future operations.
Source https://securityaffairs.com/173257/apt/donot-team-android-malware.html
