The more technology advances, the more the issues related to cybersecurity become more complex, it’s no secret. Any technique is good to exploit when it comes to stealing data. Cyfirma, a cybersecurity firm from Singapore, recently revealed three Android apps used by state actors to collect data illegally.
These apps mainly target location data and contact lists of victims, and are attributed to the Indian group “DoNot”. This would be the first step in a larger scale attack that this group of hackers is seeking to carry out. The operating mode is rather classic, namely: hiding malware under applications available for download on Google Play. The technique is not new, we already wrote an article about it in May.
The apps in question
Applications suspected by Cyfirma are nSure Chat and iKHfAA VPN. These two applications can be downloaded using a third, called Security Industry. Even if the latter does not seem malicious, it can help download the first two even if they are still available on Google Play. If one refers to the relatively low total number of downloads of the two apps, one can assume that they are certainly used on a small scale and in a very targeted manner.
Once the two applications are installed, they go through a request for access to location data (ACCESS_FINE_LOCALISATION) and to the list of user contact data (READ_CONTACT). Once these two types of data have been collected, they are stored locally in Android’s ROOM library, to then be sent to the hackers’ C2 server (control and command center) using an HTTP request.
Special attributes and techniques
It is therefore the group of Indian hackers DoNot which has been attributed to these attacks by the company Cyfirma. To support her accusations, she claims that the specific use of two particular techniques are almost a trademark of this group. First, the use of the AES/CBC/PKCS5PADDING algorithm, a combination of three distinct elements to encrypt and lock data more efficiently. The second technique is called Proguard, and is a tool used to make code less easily readable. In addition to these quickly identified techniques, there are similarities between the naming of certain files generated in this hacking campaign and other older activities of the group.
Thus, Cyfirma researchers claim that DoNot has abandoned the phishing tactic by email, preferring to turn more readily to messaging attacks such as WhatsApp or Telegram. Potential victims click on a link sent in a private message that redirects them to Google Play, where they can download the trapped apps. The platform thus gives an impression of legitimacy and trust to people who are taken in. It is also not the first time that such a situation has occurred.
These discoveries shed light on the rapid evolution of the various techniques used by groups of hackers to achieve their ends. Even if, in the case of DoNot, the phishing technique is relatively classic, the applications concerned are still downloaded in complete confidence from Google Play. The victims of these attacks are currently little known and mostly based in Pakistan, but it remains essential to stay up to date on the evolution of these cybersecurity vulnerabilities.
Sources: Bleeping Computer, Cyfirma
0