The hacking group reportedly targeted high-profile organisations in Southeast Asia since 2018, reports Bleeping Computer.
The apps used in DoNot‘s latest campaign collect basic information. This data can help the threat group prepare the ground for more dangerous malware attacks. The latest campaign also reportedly represents the first stage of the group’s attacks.
Google Play Store apps spreading spyware
As per Cyfirma, the suspected apps that are reportedly spreading spyware to collect data are available on Google Play Store. Both these apps, nSure Chat and iKHfaa VPN have been uploaded by the developer named ‘SecurITY Industry.’
Meanwhile, the publisher also has a third app on Play Store which didn’t appear malicious for Cyfirma. We at TOI-GadgetsNow have searched the Google Play Store for these apps. The iKHfaa VPN seemed to have been removed while the nSure Chat app is still available on the platform and Google is still allowing users to download it.
The download count on the apps developed by the ‘SecurITY Industry’ is comparatively low. This suggests that these apps are used selectively against specific targets.
How these apps are stealing data
The report claims that these apps request users for risky permissions during installation. These permissions include access to the user’s contact list and precise location data. The apps then collect this data and send them to the attacker.
However, to access the target’s current location, the GPS on the victim’s device needs to be active. In other cases, the app fetches the last known location of the device. The collected data is stored locally using Android‘s ROOM library. This data is later sent to the attacker’s C2 server via an HTTP request.
Cyfirma analysts have also discovered that the code base of the hackers’ VPN app was copied from the legitimate Liberty VPN service.
How Cyfirma linked the operation to DoNot
The cybersecurity firm attributed the campaign to the DoNot threat group based on the specific use of encrypted strings. The techniques were associated with the alleged hacking group. The company also discovered that certain file names generated by the malicious apps were also linked to past DoNot campaigns.
Cyfirma researchers hint that the attackers have abandoned the tactic of sending phishing emails carrying malicious attachments. Instead, the group is now employing spear messaging attack tactics via WhatsApp and Telegram messaging platforms. Links send via direct messages on these apps send victims to the Google Play Store. Android’s app store is a trusted platform which also helps the attack to be legitimate. This helps the attackers easily trick victims into downloading suggested apps.