The cybersecurity team at CYFIRMA recently uncovered a series of suspicious Android apps hosted on the Google Play Store under the account “SecurITY Industry.” Upon further investigation, it was determined that these apps exhibited malware characteristics and were linked to the notorious Advanced Persistent Threat Group known as “DoNot.”
This threat group had previously targeted individuals in the Kashmir region and was now observed using Android payloads against individuals in the Pakistan region. The motive behind these cyber strikes remains unknown, but technical analysis suggests that the primary goal is to gather information through a stager payload, with plans for a second-stage attack utilizing malware with more destructive features. In their discovery, CYFIRMA identified three Android apps hosted by “SecurITY Industry” on the Google Play Store: Device Basic Plus, nSure Chat, and iKHfaa VPN.
Two of these apps, nSure Chat and iKHfaa VPN, were found to have malicious characteristics. Notably, iKHfaa VPN utilized code from a legitimate VPN service provider but injected additional libraries to carry out malicious activities surreptitiously. These actions raised suspicions, as VPN apps typically do not require location and contact permissions for their regular functioning. The technical analysis conducted by CYFIRMA sheds light on the tactics employed by the DoNot threat actor in deploying Android payloads on the Google Play Store to target victims in the South Asian region.
During the technical analysis, it was observed that after the installation of iKHfaa VPN, users were prompted to enable location permissions. This indicates a deliberate effort by the threat actor to gain access to the compromised victim’s location data, highlighting the sophisticated nature of the attack. The findings underscore the importance of vigilant cybersecurity measures and continuous monitoring to detect and mitigate such threats in the rapidly evolving landscape of cyber warfare.
Reference:
