Tanzeem Mobile Malware
The DoNot Team, a known threat actor, has been connected to new Android malware identified as Tanzeem and Tanzeem Update. These threats, uncovered in October and December 2024, are part of highly targeted cyber-attacks. Despite their slight variations in user interface, both apps share nearly identical functionalities.
Billed as chat applications, the applications cease to function once installed, shutting down after the user grants the required permissions. Their design hints at a focus on specific individuals or groups, potentially targeting both domestic and international entities.
Table of Contents
Unpacking DoNot Team’s Origins and Historical Operations
Also known as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, the DoNot Team is believed to operate from India. The group has a history of using spear-phishing emails and Android malware to collect valuable intelligence. In October 2023, the group was linked to Firebird, a .NET-based backdoor targeting victims in Pakistan and Afghanistan.
While the exact targets of the Tanzeem malware remain unclear, the group is suspected of aiming to collect intelligence on perceived internal threats.
Exploiting Technology: The Abuse of Legitimate Platforms
One of the most notable tactics associated with the Tanzeem malware is its use of OneSignal, a legitimate customer engagement platform. While typically used for push notifications, in-app messages, and other communication tools, researchers believe the platform was misused to send phishing links that deploy additional malware.
Fake Features with Harmful Intent
Upon installation, the Tanzeem application displays a fake chat interface, urging victims to click a 'Start Chat' button. The application then prompts users to grant permissions to the Accessibility Services API. With these permissions, the application can perform a variety of unsafe actions.
Gaining Control: The Permissions Exploited
The Tanzeem application requests access to several sensitive permissions, enabling it to:
- Collect call logs, contact lists and SMS messages.
- Track precise user locations.
- Access account details and external storage files.
- Capture screen recordings.
- Connect to a Command-and-Control (C2) server.
These permissions allow the application to gather and transmit sensitive data, significantly compromising user privacy.
Ensuring Persistence: Push Notifications as a Tactic
A distinctive feature of the Tanzeem malware is its use of push notifications to encourage the installation of additional Android malware. This approach not only enhances the malware's persistence but also underscores the evolving tactics of the DoNot Team in their efforts to maintain access and gather intelligence for national interests.
The Tanzeem malware highlights the DoNot Team's resourcefulness in leveraging existing platforms and permissions to execute their operations. The targeted nature of these attacks and the advanced tactics employed remind us of the ever-evolving landscape of cyber threats. Remaining vigilant and cautious is crucial in navigating such challenges.