Cyber security news for all

More

    DoNot Team Implicated in Deployment of Tanzeem Android Malware for Precision Surveillance

    The infamous cyber-collective known as DoNot Team has been linked to a sophisticated strain of Android malware, dubbed Tanzeem, which has been weaponized for meticulously orchestrated cyber incursions.

    First identified in October and December 2024 by cybersecurity firm Cyfirma, the malicious artifacts—designated Tanzeem and Tanzeem Update—exhibit virtually identical operational frameworks, save for minor adjustments to their interface design.

    “Although purported to function as a messaging application, the app ceases to operate post-installation, terminating after securing the requisite permissions,” Cyfirma observed in its detailed Friday report. “Its nomenclature implies an intent to infiltrate and surveil specific individuals or entities, potentially transcending national boundaries.”

    Referred to by alternate aliases such as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, the DoNot Team is suspected to hail from India. Historically, the group has leveraged spear-phishing campaigns alongside sophisticated Android malware to amass intelligence of strategic relevance.

    In October 2023, the collective was implicated in the deployment of Firebird, a previously undisclosed .NET-based backdoor, targeting select individuals in Pakistan and Afghanistan.

    The exact identities of the newest malware’s victims remain elusive; however, preliminary assessments suggest its application in targeting individuals for intelligence extraction to counter perceived domestic threats.

    A particularly notable feature of the malicious Android application lies in its exploitation of OneSignal, a mainstream platform for customer engagement, which typically facilitates push notifications, in-app communications, and other messaging tools. Cyfirma postulates that OneSignal’s library is being manipulated to dispatch notifications embedded with phishing links, paving the way for further malware propagation.

    Upon installation, the app displays a deceptive chat interface, coercing users to activate a button labeled “Start Chat.” Engaging this button triggers a prompt urging the user to grant permissions to the accessibility services API, a gateway enabling the execution of surreptitious operations.

    The application demands access to a wide spectrum of sensitive data, including call logs, contact lists, SMS communications, geolocation, account credentials, and external storage files. Additional functionalities enable it to capture screen activity and establish covert communication channels with a command-and-control (C2) server.

    “Analyses of retrieved samples expose a novel strategy wherein push notifications serve as conduits to install supplementary Android malware, ensuring the persistent presence of the threat on compromised devices,” Cyfirma stated.

    “This innovative approach amplifies the malware’s longevity on targeted devices, underscoring the evolving sophistication of the threat actor’s methods in pursuit of intelligence acquisition aligned with national imperatives.”

    Recent Articles

    Related Stories