The Threat actor known as Not the team has been linked to a new Android malware in a highly targeted cyberattack.
The artifacts the company in question called Tanzeem (which means “organization” in Urdu) and Tanzeem Update were spotted in October and December 2024 by cybersecurity firm Cyfirma. The apps in question were found to have the same functionality, except for minor changes in the user interface.
“Although the app is supposed to function as a chat app, it doesn’t work after installation and closes after obtaining the necessary permissions,” says Cyfirma. noted in Friday’s analysis. “The name of the program suggests that it is intended for specific individuals or groups both within and outside the country.”
DoNot Team, also tracked as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is a hacking group believed to be of Indian origin with a history of attacks using phishing emails and Android malware family to collect interesting information.
In October 2023 The threat actor was linked to a previously undocumented .NET-based backdoor named Firebird targeting few victims in Pakistan and Afghanistan.
It is currently unclear who exactly was targeted by the latest malware, although it is suspected that it was used against specific individuals to gather intelligence against insider threats.
A notable aspect of the Android malware is its use of OneSignal, a popular customer engagement platform used by organizations to send push notifications, in-app messages, email and SMS messages. Cyfirma suggests that the library is being used to send notifications containing phishing links that lead to the deployment of malware.
Regardless of the distribution mechanism used, the program, once installed, displays a fake chat screen and prompts the victim to click the “Start Chat” button. This causes a message instructing the user to grpermissionions for Accessibility Services APIwhich allows him to perform various nefarious acts.
The app also requests access to several sensitive permissions that facilitate the collection of call logs, contacts, SMS messages, exact locations, account information, and files located on external storage. Some of the other features include screen recordings and establishing connections with a command and administrative (C2) server.
“The collected samples reveal a new tactic using push notifications that encourage users to install additional Android malware, ensuring the malware remains on the device,” Cyfirma said.
“This tactic increases the ability of malware to remain active on a target device, indicating the threat group’s intent to continue to engage in intelligence gathering for the national interest.”
