According to cybersecurity company Cyfirma, hacking group DoNot, also known as APT-C-35 and SectorE02, is behind several Android apps that are believed to have malware characteristics.
The group is believed to have been targeting South Asian victims since 2016 and has recently been linked to cyberattacks in the Kashmir region.
According to Cyfirma, the two-stage attack first collects information via a stager payload and then goes on to use malware to compromise targets linked to Pakistan.
Android malware apps
Fronting the attacks are the nSure Chat app which promises end-to-end encrypted messaging, Device Basics Plus which looks to present device and hardware statistics in a simple dashboard, and iKHfaa VPN, all developed by SecurITY Industry.
nSure Chat and iKHfaa VPN both appear to have malicious characteristics, with the VPN app having copied code from a legitimate VPN service provider and injected additional libraries to silently perform malicious activity.
Permission to access phone contacts and system location are most concerning, with live location tracking enabled should the user accept.
In its report, Cyfirma suggests that the group may be linked to India, citing numerous sources including other security communities, and could even be backed by the government. Military, telecom, government, NGO, and embassy bodies all look to be the subjects of spear phishing, spear messaging, and social engineering attacks, which primarily revolve around the Android mobile operating system, but also Windows.
A Google spokesperson confirmed in an email to TechRadar Pro:
"These apps have been removed from Google Play and the developer has been banned. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources."
- Check out our roundup of the best firewalls to stay safe
