Security researchers analyzed two Android applications named “Tanzeem” and “Tanzeem Update,” both displaying malicious behavior.
The applications are designed to mimic legitimate chat applications and leverage the OneSignal library to deliver push notifications containing phishing links.
The technique is similar to past tactics employed by the threat actor group and represents a novel approach in their arsenal.
Despite appearing identical, the applications exhibit minor UI variations between the October and December samples.
Upon installation, the applications request permissions but ultimately fail to function as intended, which suggests their primary purpose is to deliver malicious payloads via push notifications.
The Tanzeem app displays a landing page, which is then followed by a fake chat interface. When the chat is initiated, a prompt appears asking the user to enable accessibility permissions.
This allows the app to potentially intercept and misuse user interactions, potentially for malicious activities like keylogging or data exfiltration.
The accessibility settings page is then displayed and grants the app necessary privileges to function.
The AndroidManifest.xml file reveals that the malicious app requests several dangerous permissions that include reading call logs, contacts, SMS, and external storage, which allows the app to steal sensitive user data and potentially modify files on the device.
By communicating with a command-and-control server through the use of the OneSignal library, the application is able to most likely receive instructions and exfiltrate stolen data.
It fetches information about the device and its permissions and potentially gains accessibility privileges that hint at capabilities for screen recording or interacting with the UI without user consent.
According to Cyfirma, the DONOT APT group has expanded its operations beyond internal threats by targeting organizations in South Asia to assist India with strategic intelligence gathering.
By using push notifications, their new Android malware is able to trick users into installing additional malicious payload and ensures that the device will remain infected for an extended period of time.
It utilizes obfuscation techniques to evade detection, collects device information, captures keystrokes and screenshots, extracts sensitive data, and exfiltrates stolen information to command-and-control servers.
Recent observations have shown that the group has implemented OneSignal, which indicates that they are making efforts to establish a persistent presence on devices that are infected.
The group’s arsenal includes Command and Control (C2) infrastructure, such as “toolgpt[.]buzz,” “Updash[.]info,” and subdomains on “appspot[.]com,” that facilitate communication and control over compromised systems.
| Indicator | Type | Remarks |
| 8689D59AAC223219E0FDB7886BE289A9536817EB6711089B5DD099A1E580F8E4 | SHA-256 | File Hash |
| D512664DF24B5F8A2B1211D240E3E767F5DD06809BB67AFA367CDC06E2366AEC | SHA-256 | File Hash |
| toolgpt[.]buzz | Domain | Command and Control |
| Updash[.]info | domain | Command & Control |
| Solarradiationneutron[.]appspot[.]com | Sub-domain | Command & Control |
| saturn789454[.]appspot[.]com | Sub-domain | Command & Control |
