Cybersecurity researchers at Cyfirma have uncovered a sophisticated malware campaign orchestrated by the notorious APT group DoNot Team (also known as APT-C-35 and Viceroy Tiger). The campaign features two malicious Android applications – Tanzeem and Tanzeem Update – which demonstrate nearly identical functionality with slight variations in their user interface design.
Advanced Malware Masquerading as Chat Applications
The malicious applications employ a sophisticated social engineering approach by posing as legitimate chat platforms. The malware’s primary infection vector relies on exploiting Android’s Accessibility Services API, a critical system feature that, when compromised, grants the attacker extensive control over the infected device. Upon installation, the apps display a fake chat interface prompting users to initiate a conversation, only to cease functioning after obtaining the necessary permissions.
Comprehensive Device Compromise Capabilities
The Tanzeem malware family exhibits an extensive array of surveillance and data exfiltration capabilities, including:
– Call log and contact information harvesting
– SMS message interception
– Precise device location tracking
– Account credential extraction
– External storage access
– Screen capture and recording functionality
– Command and control (C2) communication
Novel Distribution Strategy Using Push Notification Services
A particularly concerning aspect of this campaign is the threat actors’ innovative use of OneSignal, a legitimate push notification service platform. Security researchers have identified that the group leverages this service to distribute phishing links, facilitating the deployment of additional malicious payloads and maintaining persistent access to compromised devices.
Analysis suggests that DoNot Team, believed to operate from India, continues to evolve its tactical approach to cyber espionage. While the specific targeting of this campaign remains under investigation, security experts assess that the Tanzeem malware suite serves as a sophisticated intelligence-gathering tool. The implementation of push notification-based command and control infrastructure represents a significant advancement in mobile malware techniques, enabling prolonged persistence and enhanced operational capabilities. Organizations and individuals are advised to maintain strict security protocols, including careful verification of app sources and minimal permission grants to mobile applications.
