A notorious advanced persistent threat (APT) group, believed to be operating out of India, has been targeting individuals with ties to the country's intelligence community using deceptive Android apps.
The group, known as DONOT Team, has been leveraging two nearly identical Android applications—“Tanzeem” and “Tanzeem Update”—to carry out intelligence-gathering operations. These apps, disguised as chat applications, don't function as advertised. Instead, once installed, they prompt users to enable accessibility settings and grant permissions that can be easily exploited. Once these permissions are granted, the apps quietly shut down and begin siphoning sensitive information from the infected device.
According to a cyber security firm, which recently uncovered this campaign, the attackers are targeting individuals and organisations that hold strategic importance to India's national security.
Once a victim installs the fake chat apps, they receive a push notification via OneSignal, a widely used customer engagement platform. This notification tricks users into clicking a “Start Chat” prompt, which then leads them to enable Android’s accessibility services. Once these permissions are granted, the malware gains deep access to the device, allowing it to:
Retrieve call logs and contact lists
Access and search the file manager
Read, delete, and monitor incoming and outgoing text messages
Track the device’s real-time location
Researchers also found that the malware uses push notifications to convince victims to install additional malicious payloads, helping the attackers maintain long-term access to the compromised devices.
This approach highlights how the DONOT Team is continuously refining its methods to ensure long-term access and improve its intelligence-gathering capabilities.
DONOT Team, also tracked by security researchers under names like APT-C-35, SectorE02, and Viceroy Tiger, has been active since at least 2016. The group has been linked to multiple cyber-espionage campaigns targeting South Asian countries, including Sri Lanka, Bangladesh, Pakistan, and Nepal.
In late 2024, researchers at Cyble reported the group's involvement in attacks against manufacturing companies in Pakistan, particularly those connected to the country’s defence and maritime sectors. Similar campaigns have been uncovered in Kashmir and other regions, with DONOT Team using both Android and Windows malware to infiltrate targets.
Experts suggest that the group’s activities are likely tied to rising geopolitical tensions in the region and a broader surge in cybercrime across South Asia. DONOT Team’s operations have expanded beyond espionage, with reports indicating involvement in cyber extortion, hacktivism, and surveillance efforts.
With threat actors like DONOT Team continuing to evolve their tactics, it's crucial for individuals and organisations to stay vigilant. Here are some essential steps to reduce risk:
Avoid downloading apps from unknown or unofficial sources. Stick to trusted platforms like Google Play and verify the legitimacy of apps before installation.
Be cautious with permission requests. If an app asks for excessive permissions unrelated to its functionality, it's a red flag.
Regularly update your devices. Security patches help fix vulnerabilities that attackers might exploit.
Use mobile security solutions. A good security app can detect and block suspicious activities before they cause harm.
As cyber threats continue to grow, staying informed and proactive is the best defence against these sophisticated attacks.