Introduction
The cybersecurity landscape continues to be dominated by advanced persistent threats (APTs) that evolve with alarming sophistication. One such notable actor is the DoNot Team, also known by aliases such as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger. This hacking group has recently been linked to a new strain of Android malware, as reported by the cybersecurity firm Cyfirma. The malware, named Tanzeem and its variant Tanzeem Update, underscores the persistent efforts of cybercriminals to exploit vulnerabilities and gather intelligence from specific targets. This article delves into the intricate details of this malware, its operational tactics, and the broader implications for cybersecurity.
Discovery of the Tanzeem Malware
The Tanzeem and Tanzeem Update applications were identified in October and December 2024, respectively. Despite their apparent design as chat applications, these apps fail to function once installed. Instead, they shut down after acquiring necessary permissions. Cyfirma's analysis indicates that the apps' primary intent is far from benign, targeting individuals or groups for intelligence gathering.
The apps bear identical functionalities, with only minor user interface modifications. This level of uniformity suggests a streamlined effort by the DoNot Team to execute their malicious activities with precision.
Background on the DoNot Team
The DoNot Team is widely believed to originate from India and has a history of leveraging spear-phishing emails and Android malware to extract sensitive information. Their previous campaigns include the deployment of a .NET-based backdoor called Firebird in October 2023, which targeted individuals in Pakistan and Afghanistan. The group's consistent use of targeted malware highlights its focus on espionage and intelligence collection.
Operational Tactics and Techniques
A standout characteristic of the Tanzeem malware is its integration of OneSignal, a legitimate customer engagement platform. While typically used for sending push notifications and in-app messages, OneSignal is being exploited by the DoNot Team to deliver phishing links and facilitate malware deployment.
Once installed, the app deceives victims by displaying a fake chat screen. A button labeled "Start Chat" prompts users to grant permissions to the Accessibility Services API, enabling the malware to perform a wide range of malicious activities. These include:
- Accessing call logs, contacts, and SMS messages.
- Collecting precise location data and account information.
- Harvesting files stored in external storage.
- Capturing screen recordings.
- Establishing connections to a command-and-control (C2) server for continuous data exfiltration.
Additionally, the malware employs a new tactic involving push notifications to prompt users into installing further malicious applications. This ensures the persistence of the malware on compromised devices and signals an evolution in the threat actor's operational strategies.
Implications for Cybersecurity
The DoNot Team's activities highlight the growing challenges in combating sophisticated cyber threats. The use of seemingly legitimate platforms like OneSignal and deceptive user interfaces points to an increased focus on social engineering. Furthermore, the malware's ability to exploit Accessibility Services underscores the importance of educating users about the risks of granting unnecessary permissions.
Google's Response
Following the public disclosure of the Tanzeem malware, a Google spokesperson reassured users that no apps containing this malware were found on Google Play. Additionally, Google Play Protect—a security feature enabled by default on devices with Google Play Services—offers robust protection by detecting and blocking known malware, even when apps are sourced outside the Play Store. This emphasizes the importance of keeping Android devices updated and leveraging built-in security measures.
Conclusion
The emergence of the Tanzeem malware serves as a stark reminder of the evolving tactics employed by APT groups like the DoNot Team. By exploiting legitimate platforms and leveraging sophisticated techniques, these actors continue to pose significant threats to individuals and organizations. Enhanced awareness, stringent security measures, and continuous vigilance remain critical in mitigating such cyber risks. As threat actors innovate, so must the cybersecurity community in its defense strategies.
0 Comments