According to cybersecurity company Cyfirma, hacking group DoNot, also known as APT-C-35 and SectorE02, is behind several Android apps that are believed to have malware characteristics.
The group is believed to have been targeting South Asian victims since 2016 and has recently been linked to cyberattacks in the Kashmir region.
According to Cyfirma, the two-stage attack first collects information via a stager payload and then goes on to use malware to compromise targets linked to Pakistan.
Android malware apps
Fronting the attacks are the nSure Chat app which promises end-to-end encrypted messaging, Device Basics Plus which looks to present device and hardware statistics in a simple dashboard, and iKHfaa VPN, all developed by SecurITY Industry.
nSure Chat and iKHfaa VPN both appear to have malicious characteristics, with the VPN app having copied code from a legitimate VPN service provider and injected additional libraries to silently perform malicious activity.
Permission to access phone contacts and system location are most concerning, with live location tracking enabled should the user accept.
In its report, Cyfirma suggests that the group may be linked to India, citing numerous sources including other security communities, and could even be backed by the government. Military, telecom, government, NGO, and embassy bodies all look to be the subjects of spear phishing, spear messaging, and social engineering attacks, which primarily revolve around the Android mobile operating system, but also Windows.
TechRadar Pro has asked Google for more information about its Play Store policies and why these apps have been allowed on its app download platform.