Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

DoNot APT Hackers Deploy Android Malware Apps on Google Play

DoNot APT Hackers Deploy Android Malware Apps on Google Play, Under the account name “SecurITY Industry,” the CYFIRMA team successfully identified dubious Android apps on the Google Play Store.

The app’s true nature has been unveiled, revealing its malware traits and its affiliation with the “DoNot” APT group

Security analysts have recently identified that the threat actor is actively using Android payload to target people in Pakistan.

However, the motives driving their cyber attacks in South Asia remain uncertain.

Collecting information using the initial payload and then using that information for the next-stage second attack using more powerful malware features is the attack’s primary goal.

Suspicious Apps

Here below, we have mentioned all the suspicious apps from SecurITY Industry on the Google Play Store:-

  • nSure Chat
  • iKHfaa VPN
  • Device Basics Plus

Among these three suspicious apps, two of them have malicious characteristics, and here they are mentioned below:-

  • nSure Chat
  • iKHfaa VPN

Android Malware Apps on Google Play

Utilizing the clean and unsuspecting Android libraries, the threat actors manipulated them to retrieve the compromised victim’s contacts and location.

By replicating the code of a renowned VPN service provider, iKHfaa VPN introduced extra libraries to perform malicious activities discreetly.

When the iKHfaa VPN is installed, a notification prompts the user to grant permission for location access. 

Improper changes made to the app are apparent on the “about us” page, which explicitly mentions the app’s actual name in its content.

Apart from this, the malicious nSure Chat app presents a screenshot after the installation of the app and opening it. If the user chooses to skip the Chat page, the app will prompt them to grant permission for contact access.

Now if the user skips the signup page, they will be automatically directed to the login or signup section of the application.

The cybersecurity researchers conducted an in-depth code analysis by decompiling the apps and discovered that with restricted permissions, the threat actor performed all the malicious actions.

The iKHfaa VPN app secretly included RoomDB and Retrofit Libraries to save data and retrieve contacts and exact locations for the web-based control server, which also serves as the official app website.

Here below, we have mentioned the most dangerous permissions that are asked:-

  • ACESS_FINE_LOCATION: Allows the threat actor to fetch precise locations and track the live movement of mobile phones.
  • READ_CONTACTS: This permission allows the threat actor to read and fetch contacts.

If the GPS feature is enabled, the iKHfaa VPN module can determine the compromised victim’s exact location.

Without that, it captures and stores the compromised device’s last recorded location.

Advertisement. Scroll to continue reading.

The decompiled code of iKHfaa VPN reveals the integration of the ROOM Library, which is part of the Android Jetpack suite.

Upon inspecting the decompiled code of the nSure Chat app, it is revealed that retrofit is utilized to establish communication with the domain and port configured within the application.

Security analysts discovered the communication between the app and port 4000 after analyzing the live traffic of the nSure Chat app. While this communication is linked to the encrypted domain using the free service of Let’s Encrypt. 

Profile of the Threat Actor

The below image is the complete profile of the “DoNot” APT threat actor:-

Moreover, this Android malware has been intentionally crafted to gather information by the DoNot APT actors.

When the threat actor gains access to the contact lists and locations of the victims, they can plan further attacks.

Then to target and exploit the victims, they use Android malware equipped with sophisticated features.

Copyright 2021 Associated Press. All rights reserved.

Source: https://cybersecuritynews.com/donot-apt-hackers-deploy-android-malware/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

In recent findings from Check Point Research, a significant phishing attack targeting more than 40 prominent Colombian companies has been uncovered.  The attackers behind this campaign...

Cyber Security

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as...

Cyber Security

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. ...

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO