{
	"id": "5c114682-3021-436c-b78b-fb387fa487ad",
	"created_at": "2026-04-06T00:06:14.120352Z",
	"updated_at": "2026-04-10T03:20:51.009917Z",
	"deleted_at": null,
	"sha1_hash": "0f8e5e3e1d020b28bb718cdb2c9e8389aea630f1",
	"title": "ANDROID MALWARE IN DONOT APT OPERATIONS - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2379225,
	"plain_text": "ANDROID MALWARE IN DONOT APT OPERATIONS -\r\nCYFIRMA\r\nArchived: 2026-04-02 12:41:21 UTC\r\nPublished On : 2025-01-17\r\nEXECUTIVE SUMMARY\r\nThe research team at CYFIRMA collected a sample attributed to the Indian APT group known as ‘DONOT’, which\r\nappears to serve Indian national interests, and additionally seems to have been designed for intelligence gathering\r\nagainst internal threats and uses an innocent customer engagement platform for malicious purposes.\r\nINTRODUCTION\r\nThe application is named “Tanzeem” and “Tanzeem Update”, which in Urdu translates to “organization.” Terrorist\r\norganizations and several Indian law enforcement agencies use this term to refer to groups they are associated with,\r\nsuch as Jaish-e-Mohammad and Lashkar. We collected two samples at different times, one from October and another\r\nfrom December, and found both apps nearly identical, with only slight changes to the user interface.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 1 of 12\n\nAlthough the app is supposed to function as a chat application, it does not work once installed, shutting down after\r\nthe necessary permissions are granted. The app’s name suggests that it is designed to target specific individuals or\r\ngroups both inside and outside the country.\r\nTECHNICAL ANALYSIS\r\nOneSignal is a popular platform that provides tools for sending push notifications, in-app messages, emails, and\r\nSMS, which are widely used in mobile and web applications. In this instance, however, we believe the library is\r\nbeing misused to push notifications containing phishing links, as we have observed the OneSignal library being used\r\nin both applications. The techniques employed are similar to those seen in other applications used by the group in the\r\npast, however, this is the first time we have observed this APT group utilizing it.\r\nPROCESS OVERVIEW\r\nOnce installed, the app takes you to a landing page that says, “Tanzeem App,” possibly referring to an application\r\nused by members of terrorist organizations.\r\nFigure 1. Landing page of the application.\r\nThe application then loads the second page where the user is shown the fake chat functions:\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 2 of 12\n\nFigure 2. Fake chat page.\r\nUpon clicking “START CHAT”, a pop-up message asks the user to turn on accessibility access for the Tanzeem App.\r\nFigure 3. Pop up after clicking on ‘start chat’.\r\nThe user is then directed to the accessibility settings page.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 3 of 12\n\nFigure 4. Accessibility setting once clicked on ‘ok’ on the pop-up.\r\nThe snippet below from another sample shows slight differences from the other applications, but the functions\r\nremain the same except for the color change.\r\nFigure 5. Second applicaion.\r\nCODE OVERVIEW\r\nThe snippet is from the extracted Android Manifest file of the app.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 4 of 12\n\nFigure 6. Snippet from Android Manifest file.\r\nBelow are a few dangerous permissions described that malicious Android app accesses:\r\nSr.no Permissions Descriptions\r\n1. READ_CALL_LOG This permission enables threat actors to read and fetch call logs.\r\n2. READ_CONTACTS Permission allows TA to read and fetch contacts.\r\n3. READ_EXTERNAL_STORAGE\r\nAllows threat actors to explore and fetch data from the file\r\nmanager.\r\n4. WRITE_EXTERNAL_STORAGE Allows threat actors to delete and move files.\r\n5. READ_SMS\r\nThis allows attackers to delete and read outgoing and incoming\r\nSMSs\r\n6. STORAGE\r\nThis gives access to mobile internal storage to view and access\r\nfiles.\r\n7. ACCESS_FINE_LOCATION\r\nThreat actors are able to extract precise locations and monitor the\r\nlive movement of the device.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 5 of 12\n\n8. GET_ACCOUNTS\r\nThis allows the threat actor to extract emails and usernames used\r\nfor logging into various internet platforms.\r\nThe URL shown below serves as a command-and-control server for the app.\r\nFigure 7. The Module is part of handling communication with the C2 server.\r\nThe snippet below shows the OneSignal library after decompiling the Android package. Another snippet displays the\r\nAppspot domains used for communication with the OneSignal library.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 6 of 12\n\nFigure 8. SignalOne library\r\nFigure 9. Snippet from strings file.\r\nThis image below shows part of the module that fetches information about the permissions gained after application\r\ninstallation.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 7 of 12\n\nFigure 10. The module handles the fetching of basic information from the device.\r\nThe below code handles accessibility for the application.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 8 of 12\n\nFigure 11. The module handles accessibility permissions for the application.\r\nThe code below helps applications handle permissions.\r\nFigure 12. The module that handles permissions.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 9 of 12\n\nThe snippet shows a code from the module that helps applications record screens.\r\nEXTERNAL THREAT LANDSCAPE MANAGEMENT\r\nThe ongoing efforts by the notorious DONOT APT extend beyond gathering intelligence on internal threats; they\r\nhave also targeted various organizations in South Asia to assist India with strategic intelligence collection. The\r\ncollected samples reveal a new tactic involving push notifications that encourage users to install additional Android\r\nmalware, ensuring the persistence of the malware on the device. This tactic enhances the malware’s ability to remain\r\nactive on the targeted device, indicating the threat group’s evolving intentions to continue participating in\r\nintelligence gathering for national interests. The group’s relentless efforts suggest that their operations are far from\r\nover.\r\nDiamond Model\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 10 of 12\n\nMITRE AT\u0026CK FRAMEWORK\r\nMITRE ATT\u0026CK framework for Android malware payload in a table format\r\nTactics Technique ID Description\r\nDefense\r\nEvasion\r\nT1406 – Obfuscated Files or\r\nInformation\r\nUses obfuscation techniques to hide malicious code within\r\nthe APK.\r\nDiscovery\r\nT1420 – File and Directory\r\nDiscovery\r\nEnumerate files and directories on the device to locate\r\nvaluable information.\r\nCredential\r\nAccess\r\nT1417 – Input Capture\r\nCaptures keystrokes to steal sensitive credentials like\r\nusernames and passwords.\r\nDiscovery\r\nT1426 – System Information\r\nDiscovery\r\nCollects device information, such as device model, and user\r\ndetails.\r\nCollection\r\nT1533 – Data from Local\r\nSystem\r\nExtracts data such as contacts, messages, photos, and\r\nvideos from the infected device.\r\nCollection T1513 – Screen Capture\r\nTakes screenshots and records video of the infected device\r\nto capture sensitive information.\r\nExfiltration\r\nT1646 – Exfiltration Over\r\nC2 Channel\r\nSends stolen data (e.g., contacts, messages, credentials) to\r\nthe C2 server.\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 11 of 12\n\nINDICATORS OF COMPROMISES\r\nIndicator Type Remarks\r\n8689D59AAC223219E0FDB7886BE289A9536817EB6711089B5DD099A1E580F8E4\r\nSHA-256\r\nFile Hash\r\nD512664DF24B5F8A2B1211D240E3E767F5DD06809BB67AFA367CDC06E2366AEC\r\nSHA-256\r\nFile Hash\r\ntoolgpt[.]buzz Domain\r\nCommand\r\nand\r\nControl\r\nUpdash[.]info domain\r\nCommand\r\n\u0026 Control\r\nSolarradiationneutron[.]appspot[.]com\r\nSub-domainCommand\r\n\u0026 Control\r\nsaturn789454[.]appspot[.]com\r\nSub-domainCommand\r\n\u0026 Control\r\nCONCLUSION\r\nThe cybersecurity community is well aware that the DONOT group is actively targeting organizations and\r\nindividuals across the South Asia region. The group persistently employs similar techniques in their Android\r\nmalware. Recently, we observed the implementation of OneSignal in their latest attack, further demonstrating their\r\nefforts to maintain persistence. As the group continues to evolve, we can expect further modifications in their tactics,\r\naiming to strengthen their ability to maintain persistence in future cyberattacks using Android malware.\r\nSource: https://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nhttps://www.cyfirma.com/research/android-malware-in-donot-apt-operations/\r\nPage 12 of 12\n\n  https://www.cyfirma.com/research/android-malware-in-donot-apt-operations/  \nFigure 10. The module handles the fetching of basic information from the device.\nThe below code handles accessibility for the application. \n   Page 8 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cyfirma.com/research/android-malware-in-donot-apt-operations/"
	],
	"report_names": [
		"android-malware-in-donot-apt-operations"
	],
	"threat_actors": [],
	"ts_created_at": 1775433974,
	"ts_updated_at": 1775791251,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0f8e5e3e1d020b28bb718cdb2c9e8389aea630f1.pdf",
		"text": "https://archive.orkl.eu/0f8e5e3e1d020b28bb718cdb2c9e8389aea630f1.txt",
		"img": "https://archive.orkl.eu/0f8e5e3e1d020b28bb718cdb2c9e8389aea630f1.jpg"
	}
}