A stealthy and dangerous spyware campaign from the DoNot APT possibly targeted hundreds of Android users by posing as fake VPN and chat apps on The Google Play Store. Users must check their devices and delete the apps immediately if found running.
DoNot APT Spyware Campaign Spread Via Fake Android Apps
Researchers from the cybersecurity firm Cyfirma caught a sneaky spyware campaign targeting Android users. However, this spyware campaign is different from the usual campaigns in that it seemingly targets users from a specific nation.
Specifically, the researchers noticed the activity from the notorious DoNot APT Group – an Indian (presumably, state-backed) threat actor’s group. The recent DoNot APT activity involves spreading spyware via two fake Android apps that appeared on the Google Play Store. These include the iKHfaa VPN app and nSure Chat app. Both these apps belonged to the same developer named as “SecurITY Industry” on Play Store.
A third application, “Device Basics Plus app” – a device help utility providing basic system details to the user on a single screen, also belonged to the same developers. But it didn’t exhibit any malicious behavior at the time of analysis.
Regarding the iKHfaa VPN app, the app seemed legit as it offered the basic VPN functionality as claimed. However, it asked for explicit device permissions, including device location and contacts list, which alarmed the researchers. Also, the “About” section of the app displayed the actual app name (Liberty VPN – a legit VPN app) the threat actors used to design their malicious VPN on.
Likewise, the nSure Chat app also requested similar permissions, and analyzing the app revealed the uncanny malicious code similarities between the two apps. Both apps transmitted stolen data from the device to the attackers’ C&C.
The detailed technical analysis of this campaign and the malicious apps is available in the researchers’ report.
The Threat Still Persists…
Apparently, this campaign seems targeted at Android users in Pakistan. However, more details about the victims and the way of spreading this spyware to the intended victims remain unclear.
At the time of writing this story, the iKHfaa VPN app seems deleted from the Google Play Store. However, the nSure Chat and the Device Basics Plus apps still exist, indicating that the threat isn’t over.
While the apps show a very small number of downloads, it’s still wise for Android users to scan their devices for the possible presence of any of these apps. And if detected, users must delete them immediately, followed by a robust antivirus scan, to remove the threat.
Let us know your thoughts in the comments.