DoNot APT Group, also known as APT-C-35, is an Advanced Persistent Threat (APT) group targeting government-related organizations. DoNot has a reputation for carrying out APT attacks against India, Pakistan, Argentina, and countries in South Asia. This group mainly spreads malware using malicious programs developed in C++, Python, .NET, and other languages.
DoNot APT mainly spreads malware via spear-phishing emails containing malicious documents and files. In addition to spreading malware via spear-phishing emails with attachments that contain either a vulnerability or a malicious macro, this APT group leverages malicious Android APKs in their target attacks.
Android-based Spyware applications are often disguised as system tools and in some cases as fake apps, counterfeit mobile games, and fake news apps. Post installation, these apps perform Trojan functions in the background and can remotely control the victim’s system, besides stealing confidential information from the targeted device.
During our Open-Source Intelligence (OSINT) research, Cyble researchers found a malware sample of the DoNot APT group posted on Twitter. Upon analyzing the malware sample, the Cyble Research Lab discovered that it is a fake app disguised as a legitimate messaging app that collects sensitive information from the victim’s device.
The APT group uses the deobfuscation code along with some packers within the application to conceal malicious functionalities. This prevents the spyware from being detected during the static analysis of the app.
We performed the technical analysis of an APK, with the following hash value:
App name: Mecaller.apk
Package name: com.chat.nsgnest
Some of the applications’ permissions, activities, and services that may be used to perform malicious activities are listed below:
We also performed a dynamic analysis and discovered that the app has an emulator check that avoids running the app in an emulator or VirtualBox, and only runs this app on legitimate devices. Further, on bypassing the scripts using Frida and on loading the application, it displays a message as shown in the figure below.
Figure 1 Error Message from The App on Loading It Through Frida Scripts
Using the same Frida scripts and on loading the various activities, the app requests users to enable the accessibility service and on activating, it displays the below message as shown in Figure 2.
Figure 2 – Message displayed on turning on the Accessibility Service
The malware then initiates malicious behavior from the application main class, “ime.serviceinfo.app.MainActivity“. The entry point of the app is this class, which gets executed at first when the user starts the application.
Using the above permissions granted from users, the following data is fetched from the devices:
- Tracking the user’s location along with network operator details, device location, latitude, and longitude from the compromised device.
Figure 3 Code to track the location of the device with Latitude and Longitude
- Checking for the availability of internet connection from the device to collect the network and connectivity information.
Figure 4 Checks for Internet connection Availability
- The application also has the capability to record audio and collect media files from the infected device without the user’s knowledge.
Figure 5 Code to Record Audio/Media Files from the Infected Device
- Sending text messages using permissions and SMS manager.
Figure 6 Sends text Messages using SMS Manager and Android Permissions
- Tracking the Service/Receiver that are registered post device reboot.
Figure 7 Registers the service/receiver on phone reboot
- After the accessibility service is enabled, the application launcher icon is removed from the main screen, thereby allowing the app to stay hidden.
Figure 8 Hides the Application launcher Icon from View
- Collecting the information on the running application processes or tasks.
Figure 9 Collects list of running processes
- Verifying the infected device fingerprint, hardware, and model to find out whether the application is executed through emulator or through VirtualBox. If it is executed through emulator, the application will not be performing any malicious activity to avoid any kind of detection.
Figure 10 Code to detect the analysis device (Emulator Check)
- Monitoring the device phone number from both outgoing and incoming calls using broadcastreceiver and storing the collected data into “CallLogs.txt“.
Figure 11 Code that queries phone numbers from incoming and outgoing calls
Figure 12 Code that monitors and collects call logs
- Monitoring the incoming messages, creating Protocol data unit (PDU), intercepting SMSes to collect information from them and storing the information in “sms.txt“.
Figure 13 Code that monitors and collects SMS data
Figure 14 Stores the collected SMS data
- Collecting phone contacts from the infected device and storing it in “contacts.txt” file.
Figure 15 Collects and stores Phone contacts
- Along with the above sensitive information, this malicious app has the code to fetch stored mail accounts and application accounts like Gmail, WhatsApp, besides storing the information in “accounts.txt“.
Figure 16 Code that collects and stores mail, application accounts
- Base64 Encryption technique used in multiple classes and methods.
Figure 17 Encrypted strings using Base64 encryption technique
Upon decrypting the encrypted strings, we were able to determine that the data being collected by this app is sent to the C2 link through which the application communicates and uploads the information to the server.
C2 Server: hxxp[:]//tinyshort[.]icu/
Spyware apps have been around for a long time, yet they still pose a significant threat to sensitive data on victim devices. The APT groups responsible for creating the spyware are constantly adapting and using various encryption techniques to avoid detection. This makes removal of the spyware nearly impossible, thus users should exercise caution while installing applications.
- Keep your anti-virus software updated to detect and remove malicious software.
- Uninstall the application if you find this malware in your device.
- Keep your system and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from trusted sites and official app stores.
- Verify the privileges and permissions requested by apps before granting them access.
- People concerned about the exposure of their stolen credentials in the dark web can register at AmIBreached.com to ascertain their exposure.
MITRE ATT&CK® Techniques- for Mobile
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1406 |
|Obfuscated Files or Information |
|Credential Access||T1409 |
|Access Stored Application Data |
Capture SMS Messages
|Network Information Discovery |
Capture SMS Messages
Access Contact List
Access Call Log
|System Network Connections |
Discovery Location Tracking
System Information Discovery
|Command and Control||T1573 |
|Encrypted Channel |
Indicators of Compromise (IoCs):
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.