Indian APT Group DONOT Misuses App for Intelligence Gathering

A malicious Android application disguised as a chat platform has been linked to the Indian Advanced Persistent Threat (APT) group DONOT, which specializes in intelligence gathering.

The connection, made by researchers at Cyfirma, highlights the group’s continued efforts to collect strategic data in South Asia and leverage seemingly innocent platforms for covert operations.

Named “Tanzeem” and “Tanzeem Update,” the app appears to target specific individuals and groups, including those potentially affiliated with terrorist organizations.

Though its name suggests legitimate communication functions, the app fails to operate once installed. Instead, it prompts users to grant dangerous permissions and enable attackers to access sensitive data.

Technical Exploitation

The app itself exploits OneSignal, a legitimate customer engagement platform widely used for push notifications, to deliver phishing links. This marks the first instance of the DONOT group incorporating this tool into their malware operations.

Upon installation, the app requires accessibility access. This lead victims to unknowingly enable broad data harvesting capabilities.

Key permissions the app seeks include:

• Read Call Logs: Accessing and extracting call records

• Read SMS: Intercepting text messages

• Access Fine Location: Tracking live device movement

• External Storage Access: Exploring, modifying, and transferring files

The collected data is sent to command-and-control (C2) servers via Appspot domains and includes call logs, contact lists, location data, and more. The app can also record screens and capture sensitive input, such as passwords.

Expanding Threats

Cyfirma warned that DONOT’s activities extend beyond internal surveillance. The group targets South Asian organizations, employing evolving techniques to maintain their operations.

Read more on emerging threats to cybersecurity in South Asia: Advanced Threat Group GoldenJackal Exploits Air-Gapped Systems

The Cyfirma report also identifies several domains and SHA-256 hashes linked to the malware. These include:

• toolgpt[.]buzz (C2 domain)

• Solarradiationneutron[.]appspot[.]com (subdomain)

• SHA-256 hash: 8689D59AAC223219E0FDB7886BE289A9536817EB6711089B5DD099A1E580F8E4

“The cybersecurity community is well aware that the DONOT group is actively targeting organizations and individuals across the South Asia region,” Cyfirma warned.

“As the group continues to evolve, we can expect further modifications in their tactics, aiming to strengthen their ability to maintain persistence in future cyberattacks using Android malware.”