The hacking group DoNot Team, also known as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, has been linked to new Android malware called Tanzeem and Tanzeem Update. These malicious apps, detected by cybersecurity firm Cyfirma in October and December 2024, disguise themselves as chat applications but fail to function as such once installed. Instead, they immediately shut down after obtaining necessary permissions, suggesting they are designed to target specific individuals or groups for intelligence gathering. DoNot Team, believed to be of Indian origin, has a history of leveraging spear-phishing and Android malware to achieve its objectives.
The malware exhibits advanced capabilities, requesting permissions to access sensitive data such as call logs
The malware exhibits advanced capabilities, requesting permissions to access sensitive data such as call logs, contacts, precise locations, SMS messages, and account information. It also uses the accessibility services API to perform malicious actions, including capturing screen recordings and connecting to a command-and-control server. A particularly concerning feature is the app’s use of the OneSignal platform to send push notifications containing phishing links, which lead to the deployment of additional malware. This tactic highlights the evolving sophistication of DoNot Team’s operations, aimed at ensuring the persistence of the malware on compromised devices.
Cyfirma noted that the apps’ names, “Tanzeem” and “Tanzeem Update,” suggest their focus on targeting specific entities both inside and outside India. The fake chat application interface is a ruse to trick victims into granting permissions, making it easier for the malware to operate undetected. The group’s previous activities include the deployment of a .NET-based backdoor called Firebird in October 2023, which targeted victims in Pakistan and Afghanistan. These campaigns align with DoNot Team’s overarching goal of gathering intelligence for national interests.
The latest campaign demonstrates a shift in tactics, with the malware employing deceptive push notifications to further infiltrate devices. This approach not only extends the lifespan of the malware but also indicates DoNot Team’s commitment to advancing its capabilities for intelligence collection. While the exact targets of the Tanzeem malware remain unknown, the campaign underscores the group’s focus on high-value individuals and entities, likely connected to internal threats. Cyfirma’s analysis sheds light on the persistent and evolving nature of this threat actor, raising alarms about its growing sophistication and targeted operations.