In a Silent Cyber Storm, Rogue Android Apps Target Pakistanis
DoNot threat actor risks highlighted
Overt Operator
June 20, 2023
Further details expose the app-store risks associated with this India-centered nation-state cyber threat actor.
In today's world of technological battlefields, cybersecurity breaches and cyber threats form a silent yet destructive storm. A new wave of this storm has emerged. The targets are unsuspecting individuals in Pakistan caught in the crosshairs of two rogue Android applications on the Google Play Store.
This "sophisticated espionage campaign", as reported by cybersecurity firm Cyfirma, forms a threatening digital landscape for region1.
Motive
India and Pakistan have historically hostile relations. The Council on Foreign Relations explained that much of the modern conflict between the two nations and their individual actors stems from the partitioning of British India in 1947.
Political, economic, and other territorial stressors serve as motives for bad actors from either state to target entities and unsuspecting individuals within the other state.
Espionage Apps
The apps at the center of the India-centered hacking operation, the iKHfaa VPN and nSure Chat, were created by a developer named "SecurITY Industry". These apps masquerade as legitimate tools, a VPN and chat app respectively, yet they hide sinister purposes.
At the time of this report, the VPN application had been removed from the Play Store. However, it was still available as recently as June 12, 2023. The chat application remains available for download1. Due to their recent and contemporary presence in app stores, these apps remain risks for unsuspecting users.
The deceptive nature of these apps extends to their design. For instance, the VPN app utilizes source code taken from the genuine Liberty VPN product, lending it an air of legitimacy that conceals its malicious intent.
The low download counts of both apps suggest that they are part of a highly targeted operation, typical of nation-state actors. Once downloaded and installed, these rogue apps trick victims into granting them permission to access their contact lists and precise locations.
The Threat Actor: DoNot Team
The campaign has been attributed, with moderate confidence, to a threat actor known as DoNot Team, also tracked as APT-C-35 and Viceroy Tiger.
The DoNot Team is a suspected India-nexus threat actor with a history of conducting attacks against various countries in South Asia since at least 2016. This threat actor has been linked to an Indian cybersecurity company, Innefu Labs, and another hacking crew of Indian origin known as SideWinder. The attribution is based on an October 2021 report from Amnesty International and a February 2023 announcement from Group-IB1.
The group's attack chains are known to exploit spear-phishing emails containing decoy documents and files as lures to spread malware.
Similarly, they use malicious Android apps that masquerade as legitimate utilities in their target attacks. These rogue apps, once installed, activate Trojan behavior in the background, remotely controlling the victim's system and extracting confidential information from the infected devices1.
A Silent Threat
The victims targeted by these rogue apps are primarily based in Pakistan. Cybersecurity analysts believe that users may have been approached via messages on Telegram and WhatsApp to lure them into installing these apps.
By utilizing the Google Play Store as a malware distribution vector, the approach abuses the implicit trust placed by users on the online app marketplace and lends it an air of legitimacy1.
Cyfirma noted: "The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features."
This strategy allows the threat actor to plot future attacks and employ Android malware with advanced features to target and exploit the victims1.
The case of these rogue Android apps highlights the silent yet potent nature of cyber threats. As the invisible front line of the cyber battlefield continues to evolve, it becomes crucial for individuals and institutions alike to scrutinize apps and remain vigilant about their digital interactions.
In the face of covert cyber warfare, awareness and preparedness are the best defenses.