CYFIRMA researchers have uncovered an Android malware campaign, which they have traced back to the Indian APT (Advanced Persistent Threat) group, known as DoNot Team.
The group, also known as APT-C-35 or Origami Elephant, has been active since 2016 and is focused on targeting government and military entities, foreign ministries, and embassies across South Asia, particularly in India, Pakistan, Sri Lanka, and Bangladesh.
The malware, named Tanzeem and Tanzeem Update, was first detected by CYFIRMA in October and December 2024, respectively. Both versions of the malware share similar code with only minor differences, such as variations in the user interface and color schemes.
The Tanzeem app appears to be a deceptively benign messaging app, designed to mimic chat functionality. After prompting users to activate accessibility access, the app then proceeds to harvest sensitive data from the device.
Upon clicking the START CHAT button, a pop-up notification directs users to the settings page where they are asked to enable the necessary permissions. The malware is capable of collecting call logs, contacts, SMS messages, precise geolocation data, account information, and files stored in external storage. Additionally, the app can record the device's screen, providing a further means of surveillance.
The DoNot Team is leveraging OneSignal, a widely used platform for sending push notifications, emails, SMS, and in-app messages, to send phishing links through notifications as part of their malware distribution strategy.
“The ongoing efforts by the notorious DONOT APT extend beyond gathering intelligence on internal threats; they have also targeted various organizations in South Asia to assist India with strategic intelligence collection,” the researchers noted. “The collected samples reveal a new tactic involving push notifications that encourage users to install additional Android malware, ensuring the persistence of the malware on the device. This tactic enhances the malware’s ability to remain active on the targeted device, indicating the threat group’s evolving intentions to continue participating in intelligence gathering for national interests.”