Rogue Android Apps Target Pakistani Individuals

Rogue Android Apps Target Pakistani Individuals

Individuals in the Pakistan region have been targeted using two rogue Android apps available on the Google Play Store as part of a new targeted campaign.

Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as DoNot Team, which is also tracked as APT-C-35 and Viceroy Tiger.

The espionage activity involves duping Android smartphone owners into downloading a program that’s used to extract contact and location data from unwitting victims.

“The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features,” the company said.

While an October 2021 report from Amnesty International linked the group’s attack infrastructure to an Indian cybersecurity company called Innefu Labs, Group-IB, in February 2023, said it identified overlaps between DoNot Team and SideWinder, another suspected Indian hacking crew.

Attack chains mounted by the group leverage spear-phishing emails containing decoy documents and files as lures to spread malware. In addition, the threat actor is known to use malicious Android apps that masquerade as legitimate utilities in their target attacks.

The latest set of applications discovered by Cyfirma originate from a developer named “SecurITY Industry” and pass off as VPN and chat apps, with the latter still available for download from the Play Store –

  • iKHfaa VPN (com.securityapps.ikhfaavpn) – 10+ downloads
  • nSure Chat (com.nSureChat.application) – 100+ downloads

By utilizing the Google Play Store as a malware distribution vector, the approach abuses the implicit trust placed by users on the online app marketplace and lends it an air of legitimacy. It’s, therefore, essential that apps are carefully scrutinized prior to downloading them.

“It appears that this Android malware was specifically designed for information gathering,” Cyfirma said. “By gaining access to victims’ contact lists and locations, the threat actor can strategize future attacks and employ Android malware with advanced features to target and exploit the victims.”