{ "id": "d3049760-da0d-4759-a437-65ba48544443", "created_at": "2026-04-06T03:37:49.511773Z", "updated_at": "2026-04-10T13:11:21.48327Z", "deleted_at": null, "sha1_hash": "1e758ed5316e6228d5bb2248c1453f8e3b2faad4", "title": "DoNot APT Elevates its Tactics by Deploying Malicious Android Apps on Google Play Store - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1136726, "plain_text": "DoNot APT Elevates its Tactics by Deploying Malicious Android\r\nApps on Google Play Store - CYFIRMA\r\nArchived: 2026-04-06 02:51:07 UTC\r\nPublished On : 2023-06-16\r\nEXECUTIVE SUMMARY\r\nThe team at CYFIRMA recently obtained suspicious Android apps hosted on the Google Play Store under the\r\naccount “SecurITY Industry”. Further technical analysis revealed that the app has malware characteristics and\r\nbelongs to the notorious Advanced Persistent Threat Group; “DoNot”, which recently targeted individuals in the\r\nKashmir region. In a recent observation, we found the threat actor is using Android payload against individuals in\r\nthe Pakistan region, however, it is still unknown what drives them to conduct cyber strikes in the South Asian\r\nregion. Technical analysis indicates that the motive behind the attack is to gather information via the stager\r\npayload and use the gathered information for the second-stage attack, using malware with more destructive\r\nfeatures.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 1 of 20\n\nINTRODUCTION\r\nThe team at CYFIRMA obtained Android Apps deployed on Google Play Store that were used against individuals\r\nin the Pakistan region. The apps were stationed under an account named “SecurITY Industry” on Google Play\r\nStore. A total of three Android apps were hosted with the name Device Basic Plus, nSure Chat, and iKHfaa VPN,\r\nwith two of them having malicious characteristics, that are nSure Chat and iKHfaa VPN. The threat actor used\r\ncleaned and innocent Android Libraries and made them fetch contacts and the location of the compromised victim.\r\niKHfaa VPN copied its code from a genuine VPN service provider and injected additional libraries to silently\r\nperform malicious activity. Normally, VPN apps don’t use location and contact permission to make a VPN app\r\nwork. These are the least required permissions app for VPN apps to perform their job. All these suspicious\r\nfindings made us dig more, and after thorough technical analysis, we found the perpetrator to be DoNot. Further\r\ntechnical analysis reveals the tactics employed by the threat actor to deploy the Android payload on Google Play\r\nStore to target victims in the South Asian Region.\r\nTECHNICAL ANALYSIS\r\nProcess Overview\r\nAfter installing the iKHfaa VPN, a message asks the user to turn on the location permission.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 2 of 20\n\nThe about us page also reflects poor modification of the app as the about us content displays the actual name of\r\nthe app.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 3 of 20\n\nIncluded is a screenshot after opening nSure Chat app after installation.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 4 of 20\n\nOn skipping the Chat page, the app asks the user to grant contact permission.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 5 of 20\n\nAfter skipping the signup/sign up page shows that lets the user login and sign up into the chatting app.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 6 of 20\n\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 7 of 20\n\nCODE REVIEW\r\nWe have decompiled apps and did thorough code analysis to reveal the threat actor performing a malicious\r\nactivity with limited permission. iKHfaa VPN had lines of codes similar to the genuine Liberty VPN app, and the\r\nthreat actor made modifications by injecting legitimate Android libraries to make the app act maliciously, and\r\nfetch contacts and the precise location of victims. The RoomDB and Retrofit Libraries were added silently to store\r\ndata and fetch the contacts and the precise location to the web-based command-and-control server, which also acts\r\nas the official website of the Apps.\r\nThe snippet below is from the Android manifest file of iKHfaa VPN, obtained after decompiling the app, which\r\nreveals permissions that the app is accessing after installation. (Please note that the permissions used by iKHfaa\r\nVPN are the same as the permissions used by nSure Chat.)\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 8 of 20\n\nThe below table covers dangerous permissions with descriptions that apps take for malicious activity.\r\nSr.no Permissions Descriptions\r\n1. ACESS_FINE_LOCATION\r\nAllows the threat actor to fetch precise locations and track the live\r\nmovement of mobile phones.\r\n2. READ_CONTACTS This permission allows the threat actor to read and fetch contacts.\r\nThe snippet below is from the module of iKHfaa VPN that gains access to the precise location of the\r\ncompromised victim if its GPS is turned ON. If not, then it captures the last known location of the compromised\r\ndevice. This module was injected in code stolen from Liberty VPN; Liberty VPN didn’t have any module to\r\naccess the location.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 9 of 20\n\nThe code snapshot shared here-in is from iKHfaa VPN, the code shows using of the Android Room library to\r\ncreate and store the data using SQLite statement.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 10 of 20\n\nSnippet below is from iKHfaa VPN’s decompiled code, the code reveals employing ROOM Library, provided by\r\nAndroid Jetpack. The snippet shows the use of the ROOM library’s DAO (Data Access Object) interface feature,\r\nwhich is responsible for inserting, updating, and deleting the data. The instance used for fetching and storing\r\ncontacts in the RoomDatabase is using the SQLite statement.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 11 of 20\n\nAs can be seen, the below snippet reveals usage of the Retrofit HTTP client library to interact with\r\nhttps[:]ikhfaavpn[.]com. Retrofit is responsible for communication between Android apps with web service, APIs,\r\nand backend servers. In this case, ikhfaavpn[.] acted as the official website of iKHfaa VPN as well as fulfilled the\r\njob of command and control that received the location and contact of the device.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 12 of 20\n\nIncluded here-in is a snippet from decompiled code of the nSure Chat application. The module below employs\r\nretrofit and communicates with the domain and port configured to it. Note, the same command and control server\r\nin the nSure Chat app was used for the Cobalt strike a year ago on a different port.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 13 of 20\n\nAfter capturing live traffic from nSure Chat, we found that the communication between App and port 4000\r\nconfigured to the domain is encrypted by using letsencrypt, which provides security encryption for HTTP\r\nrequests.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 14 of 20\n\nBelow is snippet from the Live HTTP request captured, the request shows data sent over to appnsure.com:9090 in\r\nJson using the authorization key. This shows the C2 server is also logging new user, who is installing this app with\r\ntheir username and password in plain text.\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 15 of 20\n\nEXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM)\r\nATTRIBUTION\r\nAfter conducting a thorough analysis of samples, with a moderate level of confidence, we can confirm that the\r\nGoogle Play store account is linked to APT DoNot, as it hosts Android apps exhibiting malicious characteristics.\r\nFurthermore, we have discovered encrypted strings utilizing the AES/CBC/PKCS5PADDING algorithm. The code\r\nis also obfuscated using Proguard. Interestingly, the text file generated by the Android application shares the same\r\nname as the text file in the previously used Android Malware by DoNot, to store data locally. These encryption\r\ntechniques were previously employed by APT DoNot in their earlier Android sample, which was extensively\r\nresearched and documented in a detailed report published in April. These technical findings collectively enable us\r\nto attribute these samples to the notorious APT group; DoNot.\r\nTHREAT ACTOR PROFILE\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 16 of 20\n\nVICTIMOLOGY\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 17 of 20\n\nWe know very little about the specific victims targeted using this malware except that they were based in Pakistan.\r\nAs per malware characteristics and access, it gains hints of the threat actor aiming for information gathering for a\r\nsecond-stage attack, using malware with advanced features. In this instance, we believe that the threat actor used a\r\nspear messaging attack on Telegram or WhatsApp messenger to lure victims into installing an app using the\r\nGoogle Play store, whereas, in the past, the threat actor employed malicious Word documents, carrying macros via\r\nspear phishing attacks, and targeted various regions in South Asia with Android malware, pretending to be chat\r\napps.\r\nCONCLUSION\r\nIt appears that this Android malware was specifically designed for information gathering. By gaining access to\r\nvictims’ contact lists and locations, the threat actor can strategize future attacks and employ Android malware with\r\nadvanced features to target and exploit the victims.\r\nWe have observed a shift in the tactics employed by the DoNot APT group, as they have taken a step further by\r\ndeploying Android malware on the Google Play store. The process of uploading an Android app on Google Play is\r\na meticulous one, involving a thorough examination of each permission by developers. The previous year, APT\r\nSidewinder deployed Android malware on the Play Store by acting as a VPN provider: – In that case, also we\r\nobserved that the app was a copied version of Nord VPN, with the addition of malicious modules. Every year,\r\nresearchers discover Android Apps with malware characteristics, or legitimate apps making users download\r\nmalicious Android apps on Google Play Store, however, there are very few cases of APTs employing Google Play\r\nStore to host malicious apps by bypassing security checks. By sharing a Google Play Store link, an app greatly\r\nenhances the likelihood of a successful compromise. This approach takes advantage of the people’s trust placed in\r\nthe Google Play Store, as it is uncommon for individuals to suspect it of hosting malicious applications. The\r\nimplications would be significant if advanced persistent threats (APTs) were to adopt this strategy in the wild.\r\nDIAMOND MODEL\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 18 of 20\n\nAPPENDIX I\r\nIndicators of Compromise\r\nIndicator Type Remarks\r\nEAED560A605374FE23317C1C37BBD05383\r\nCEEC09FF83975B989E4C5D612FC039\r\nSHA256 iKHfaa.apk\r\nEE9900EF830539D113A8BCC0C7B4DD981C\r\n3FD61868319C9FE9491465BCAF4661\r\nSHA256 nSure Chat.apk\r\nAppnsure[.]com[:]4000\r\nDomain and\r\nport\r\nCommand\r\nControl\r\nAppnsure[.]com[:]9090\r\nDomain and\r\nport\r\nCommand\r\nControl\r\n193[.]149[.]176[.]226 IP Address\r\nCommand\r\nControl\r\nIkhfaavpn[.]com Domain\r\nCommand\r\nControl\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 19 of 20\n\nAPPENDIX II\r\nMITRE ATT\u0026CK Technique Detection\r\nTactics Technique ID Description\r\nTA0101 – Command\r\nand Control\r\nT0869-Standard Application\r\nLayer Protocol\r\nThe threat actor uses a web service as a\r\ncommand-and-control server\r\nTA0035 – Collection T1430-Location Tracking\r\nFetches precise Location as a part of information\r\ngathering.\r\nTA0030 – Defense\r\nEvasion\r\nT1406-Obfuscated Files or\r\ninformation\r\nObfuscated code in the malicious app as part of a\r\ndefense mechanism.\r\nTA0035 – Collection T1636.003- Contact List\r\nAccess to updated contacts as a part of\r\ninformation gathering.\r\nTA0035 – Collection\r\nT1532 – Archive Collected\r\nData\r\nThe threat actor uses encryption over data\r\ntransfer to the command and control.\r\nSource: https://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nhttps://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cyfirma.com/outofband/donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store/" ], "report_names": [ "donot-apt-elevates-its-tactics-by-deploying-malicious-android-apps-on-google-play-store" ], "threat_actors": [ { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775446669, "ts_updated_at": 1775826681, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1e758ed5316e6228d5bb2248c1453f8e3b2faad4.pdf", "text": "https://archive.orkl.eu/1e758ed5316e6228d5bb2248c1453f8e3b2faad4.txt", "img": "https://archive.orkl.eu/1e758ed5316e6228d5bb2248c1453f8e3b2faad4.jpg" } }