An advanced persistent threat group known as “DONOT Team” has been identified as utilizing two almost identical Android applications in a campaign aimed at intelligence gathering on individuals and groups in India deemed to be of national security interest to the country.
The apps in question, named “Tanzeem” and “Tanzeem Update,” present themselves as chat applications but do not function as advertised. Instead, upon installation on a device, they prompt the user to activate the device’s accessibility feature and grant permissions that could easily be misused. Subsequently, the apps close down and covertly harvest information from the compromised device, as noted by researchers at Cyfirma who recently uncovered this new wave of the DONOT campaign.
Cyfirma has highlighted the broader scope of DONOT Team’s operations, which extend beyond merely collecting intelligence on internal threats to targeting various organizations across South Asia. The aim of the campaign appears to be to gather strategic intelligence crucial to India’s interests, according to the security vendor.
Upon analyzing the Tanzeem apps, Cyfirma discovered that they leverage OneSignal, a widely used customer engagement platform, to send push notifications to users who install either of the apps on their devices. This functionality enables the apps to prompt users to initiate a fake chat, leading them to inadvertently enable Android accessibility services and grant permissions that allow for the extraction of sensitive data from their devices.
Additionally, the malicious apps were found to possess permissions enabling them to access call logs, contact information, text messages, and even real-time location tracking of the compromised device. Cyfirma noted that the threat actors behind DONOT Team’s activities are continuously evolving their tactics, using push notifications to install additional malicious payloads on compromised devices to ensure persistence and enhance the malware’s ability to continue intelligence gathering.
DONOT Team, also known by various other monikers like APT-C-35, SectorE02, and Viceroy Tiger, has been a prominent threat group with ties to India since at least 2016. The group has been implicated in various cyber-attacks and data theft campaigns targeting entities in South Asia, with recent reports linking them to espionage activities aimed at manufacturing companies in Pakistan associated with the defense and maritime industries.
Security researchers like ESET have documented DONOT Team’s use of sophisticated Windows and Android malware in espionage campaigns across multiple countries in South Asia. For instance, Cyfirma previously uncovered the deployment of malicious Android apps on Google’s Play store by the threat actor to target individuals in Kashmir and Pakistan.
DONOT Team is just one of several APT groups believed to be operating from India, engaging in a range of malicious activities such as online extortion scams, hacktivism, cyber espionage, and surveillance. Experts attribute some of this cyber activity to geopolitical tensions in the region and the overall surge in cybercrime across South Asia in recent years.