A new attack campaign has been observed targeting individuals in India. The attack targets Android mobile devices using two malware, delivered via popular messaging apps such as WhatsApp. These malware samples link the attacks with DoNot APT, known for carrying out cyberespionage attacks in South Asia.
Attack tactics
According to CYFIRMA researchers, the DoNot APT group either abused some third-party file-sharing websites or developed its own file-sharing platform to distribute the malware.
The malware samples were named Ten Messenger[.]apk and Link Chat QQ[.]apk, masquerading as popular chat apps. These apps leveraged Google’s Firebase for a C2 server.
The attackers likely used social engineering tricks using WhatsApp or other popular messaging apps to lure victims into downloading the malicious apps.
Once installed, the apps prompt the user to open them and enable Accessibility Services. Alerts are shown continuously until the victim provides the asked permissions.
Technical details
The malware's source code was well obfuscated and protected with the Pro Guard code obfuscator utility.
The strings were protected with two layers of encryption, including Base64 and AES256.
The Android manifest file of the malicious sample provides further details about the various permissions the malware acquires, such as access to the network, reading SMS, and recording audio.
The decryption of the strings involves the domain playstoree[.]xyz, which has been a part of DoNot APT’s infrastructure in past attacks.
The bottom line
Experts claim that DoNot APT has been using similar attack tactics for the past two years, and possibly it will continue to do so in the near future as well. Therefore, it is suggested to implement multiple layers of security to minimize the impact of this threat.