DoNot, A Likely State-Backed Android Spyware Disguised as VPN and Chat Apps on Google Play

A group of threat actors backed by a government has been found using three Android applications available on Google Play to collect information from specific devices. The cybersecurity company, Cyfirma, identified the malicious apps and connected them to a hacking group from India called APT-C-35 or "DoNot". This group has been operating for several years and has focused on prominent institutions in Southeast Asia. A prior report by Amnesty International connected DoNot with an Indian cybersecurity company and exposed their involvement in a campaign involving the distribution of spyware dependent on a fraudulent messaging application.

The Android applications employed in the recent campaign by DoNot function as tools to collect fundamental data from the targeted devices, particularly in the Kashmir and Pakistan regions. This preliminary phase aims to lay the groundwork for more potent malware attacks. Cyfirma uncovered two questionable apps called nSure Chat and iKHfaa VPN on Google Play, both originating from a publisher named 'SecurITY Industry.' Additionally, another app by the same publisher, which seems to be benign, is accessible on the platform. The relatively small number of downloads for these applications suggests that they are used selectively, targeting specific individuals or groups.


When installing the nSure Chat and iKHfaa VPN apps, users are prompted to grant permissions that may pose potential risks, including accessing their precise location and contact list information. The information is subsequently sent to the malicious actor. When GPS is not activated, the applications retrieve the most recent recorded location of the device. The gathered data is stored on the device using the ROOM library of Android and subsequently transmitted to the attacker's command-and-control (C2) server through an HTTP request. The VPN application uses the C2 server "https[:]ikhfaavpn[.]com," while the server address linked to nSure Chat has been associated with past Cobalt Strike operations.

Based on distinct code features, including the utilization of encrypted strings employing the Proguard obfuscation and AES/CBC/PKCS5PADDING algorithm, analysts from Cyfirma have linked the campaign to the DoNot group. These methods are typically connected to hackers from India. Additionally, similarities between the file names generated by the malicious apps and those employed in previous DoNot campaigns indicate a consistent pattern.

The analysts have observed a shift in the strategies utilized by the assailants. Instead of utilizing phishing emails containing harmful attachments, they now depend on targeted messaging assaults through platforms such as WhatsApp and Telegram. The victims are directed via personal messages to a reputable platform, the Google Play store, that enhances the credibility of the attack. This approach simplifies the process of deceiving victims into downloading the recommended applications.

The targets of DoNot's recent campaign, located in Pakistan, have been identified, although there is limited information about them. The exact motive for the attacks and the specific organizations that have been targeted remains unknown.

In conclusion, a government-backed group of threat actors, known as DoNot, has been using three Android applications on Google Play to gather information from targeted devices. These apps, attributed to the Indian hacking group, serve as the initial stage for data collection, preparing the ground for more sophisticated malware attacks. The motive behind the campaign and the specific organizations targeted remain unknown.

Read next: This Android Malware Targets Backed Up Data from WhatsApp
Previous Post Next Post