CYFIRMA, a cybersecurity firm, has recently uncovered suspicious Android apps on the Google Play Store under the account name “SecurITY Industry.” Upon conducting technical analysis, they found that these apps contained malware characteristics and were associated with the notorious Advanced Persistent Threat Group known as “DoNot,” which had previously targeted individuals in the Kashmir region. Surprisingly, the threat actor has now shifted its focus to individuals in Pakistan, although the motive behind these cyberattacks in the South Asian region remains unknown.
Newer strategies involve texting the victim via Telegram and Whatsapp
The analysis revealed that the attackers aimed to gather information through a stager payload in the initial stage of the attack. This information would then be utilized for a second-stage attack, employing more dangerous malware. CYFIRMA identified three Android apps hosted by the “SecurITY Industry” account on the Google Play Store: Device Basic Plus, nSure Chat, and iKHfaa VPN. Of these, nSure Chat and iKHfaa VPN exhibited malicious characteristics. The threat actor cleverly disguised these apps, using innocent Android libraries to extract contacts and the location of compromised victims. iKHfaa VPN even copied its code from a legitimate VPN service provider and added additional libraries to carry out malicious activities.
Further code analysis conducted by CYFIRMA revealed that the threat actor used AES/CBC/PKCS5PADDING encryption and Proguard obfuscation techniques to conceal the malicious nature of the apps. These findings led to the conclusion that the Google Play store account hosting these apps is connected to the APT (Advanced Persistent Threat) group DoNot. The encryption methods and the use of similar file names as previous Android malware samples linked these apps to DoNot.
The specific victims targeted by this Android malware in Pakistan remain largely unknown. However, based on the malware’s characteristics and access, it can be inferred that the threat actor’s intention is to gather information for future attacks using more advanced malware. Previous tactics employed by DoNot involved spear phishing attacks using malicious Word documents, but this recent shift indicates a strategy centered around luring victims through messaging platforms like Telegram or WhatsApp, ultimately leading them to install the malicious apps from the Google Play Store.
By leveraging the trust users place in the Play Store, these threat actors can greatly increase the chances of successful compromises. The rigorous examination of permissions during the app uploading process on the Play Store makes it uncommon for such malicious apps to bypass security checks.
RELATED:
- The End of the App Store and Play Store Monopoly: Japan Plans to Open Up the Market to Competition
- BGMI servers go live on May 29, Update available to pre-load on Google Play Store
- 2023 Best Gaming Mouse under $100
(Source)
