# DoNot APT Group Delivers a Spyware Variant of Chat App

**[blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/](https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/)**

July 22, 2021

DoNot APT Group, also known as APT-C-35, is an Advanced Persistent Threat (APT) group
targeting government-related organizations. DoNot has a reputation for carrying out APT
attacks against India, Pakistan, Argentina, and countries in South Asia. This group mainly
spreads malware using malicious programs developed in C++, Python, .NET, and other
languages.

DoNot APT mainly spreads malware via spear-phishing emails containing malicious
documents and files. In addition to spreading malware via spear-phishing emails with
attachments that contain either a vulnerability or a malicious macro, this APT group
leverages malicious Android APKs in their target attacks.

Android-based Spyware applications are often disguised as system tools and in some cases
as fake apps, counterfeit mobile games, and fake news apps. Post installation, these
apps perform Trojan functions in the background and can remotely control
the victim’s system, besides stealing confidential information from the targeted device.

During our Open-Source Intelligence (OSINT) research, Cyble researchers found a malware
[sample of the DoNot APT group posted on Twitter. Upon analyzing the malware sample, the](https://twitter.com/ShadowChasing1/status/1417296126852567049)
Cyble Research Lab discovered that it is a fake app disguised as a legitimate messaging app
that collects sensitive information from the victim’s device.

The APT group uses the deobfuscation code along with some packers within the application
to conceal malicious functionalities. This prevents the spyware from being detected during
the static analysis of the app.

**Technical Analysis:**

We performed the technical analysis of an APK, with the following hash value:

**fdb67688d92900226bf834ce67f4112f03e981611ee50e9c3102636574b05280.**

App name:

**Mecaller.apk**

Package name:


-----

**com.chat.nsgnest**

Some of the applications’ permissions, activities, and services that may be used to perform
malicious activities are listed below:

**Permissions:**

android.permission.READ_CALENDAR
android.permission.PROCESS_OUTGOING_CALLS
android.permission.ACCESS_COARSE_LOCATION
android.permission.INTERNET
android.permission.ACCESS_FINE_LOCATION
android.permission.READ_CALL_LOG
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.RECEIVE_SMS
android.permission.AUTHENTICATE_ACCOUNTS
android.permission.CALL_PHONE
android.permission.READ_PHONE_STATE
android.permission.READ_SMS
android.permission.RECORD_AUDIO
android.permission.READ_CONTACTS

**Activities:**

ime.serviceinfo.app.MainActivity
ime.serviceinfo.app.qsharehong.qsharelackhong

**Services:**

ime.serviceinfo.app.qsynchong.qSyncServicehong
ime.serviceinfo.app.qsynchong.qAuthenticatorServicehong
ime.serviceinfo.app.qaleolehong.qdcerthong
ime.serviceinfo.app.qaleolehong.qnqwerhong
ime.serviceinfo.app.qstunthong.qSensorServicehong
ime.serviceinfo.app.qsharehong.qsttrServicehong
ime.serviceinfo.app.qsharehong.qServicehong
ime.serviceinfo.app.qaleolehong.qhepjshong
ime.serviceinfo.app.qhelphong.qgarohong
ime.serviceinfo.app.qaihihihong.tknnotify.sfsSr

We also performed a dynamic analysis and discovered that the app has an emulator check
that avoids running the app in an emulator or VirtualBox, and only runs this app on legitimate
devices. Further, on bypassing the scripts using Frida and on loading the application, it
displays a message as shown in the figure below


-----

Figure 1 Error Message from The App on Loading It Through Frida Scripts

Using the same Frida scripts and on loading the various activities, the app requests users to
enable the accessibility service and on activating, it displays the below message as shown in
Figure 2.

Figure 2 – Message displayed on turning on the Accessibility Service


-----

The malware then initiates malicious behavior from the application main
class, “ime.serviceinfo.app.MainActivity“. The entry point of the app is this class, which
gets executed at first when the user starts the application.

Using the above permissions granted from users, the following data is fetched from the
devices:

Tracking the user’s location along with network operator details, device location,
latitude, and longitude from the compromised device.

Figure 3 Code to track the location of the device with Latitude and Longitude

Checking for the availability of internet connection from the device to collect the
network and connectivity information.

Figure 4 Checks for Internet connection Availability

The application also has the capability to record audio and collect media files from the
infected device without the user’s knowledge.


-----

Figure 5 Code to Record Audio/Media Files from the Infected Device

Sending text messages using permissions and SMS manager.

Figure 6 Sends text Messages using SMS Manager and Android Permissions


-----

Tracking the Service/Receiver that are registered post device reboot.

Figure 7 Registers the service/receiver on phone reboot

After the accessibility service is enabled, the application launcher icon is removed from
the main screen, thereby allowing the app to stay hidden.

Figure 8 Hides the Application launcher Icon from View

Collecting the information on the running application processes or tasks.


-----

Figure 9 Collects list of running processes

Verifying the infected device fingerprint, hardware, and model to find out whether the
application is executed through emulator or through VirtualBox. If it is executed through
emulator, the application will not be performing any malicious activity to avoid any kind
of detection.

Figure 10 Code to detect the analysis device (Emulator Check)

Monitoring the device phone number from both outgoing and incoming calls using
broadcastreceiver and storing the collected data into “CallLogs.txt“.

Figure 11 Code that queries phone numbers from incoming and outgoing calls


-----

Figure 12 Code that monitors and collects call logs

Monitoring the incoming messages, creating Protocol data unit (PDU), intercepting
SMSes to collect information from them and storing the information in “sms.txt“.

Figure 13 Code that monitors and collects SMS data


-----

Figure 14 Stores the collected SMS data

Collecting phone contacts from the infected device and storing it in “contacts.txt” file.

Figure 15 Collects and stores Phone contacts

Along with the above sensitive information, this malicious app has the code to fetch
stored mail accounts and application accounts like Gmail, WhatsApp, besides storing
the information in “accounts.txt“.


-----

Figure 16 Code that collects and stores mail, application accounts

Base64 Encryption technique used in multiple classes and methods.

Figure 17 Encrypted strings using Base64 encryption technique

Upon decrypting the encrypted strings, we were able to determine that the data being
collected by this app is sent to the C2 link through which the application communicates and
uploads the information to the server.

C2 Server: hxxp[:]//tinyshort[.]icu/

## CONCLUSION:


-----

Spyware apps have been around for a long time, yet they still pose a significant threat to
sensitive data on victim devices. The APT groups responsible for creating the spyware are
constantly adapting and using various encryption techniques to avoid detection. This makes
removal of the spyware nearly impossible, thus users should exercise caution while installing
applications.

**SAFETY** **RECOMMENDATIONS:**

Keep your anti-virus software updated to detect and remove malicious software.
Uninstall the application if you find this malware in your device.
Keep your system and applications updated to the latest versions.
Use strong passwords and enable two-factor authentication.
Download and install software only from trusted sites and official app stores.
Verify the privileges and permissions requested by apps before granting them access.
People concerned about the exposure of their stolen credentials in the dark web can
register at [AmIBreached.com to ascertain their exposure.](https://amibreached.com/)

**MITRE ATT&CK® Techniques- for Mobile**

**Tactic** **Technique ID** **Technique Name**


Defense Evasion [T1406](https://attack.mitre.org/techniques/T1406)
[T1418](https://attack.mitre.org/techniques/T1418)

Credential Access [T1409](https://attack.mitre.org/techniques/T1409)
[T1412](https://attack.mitre.org/techniques/T1412)

Collection [T1507](https://attack.mitre.org/techniques/T1507)
[T1430](https://attack.mitre.org/techniques/T1430)
[T1412](https://attack.mitre.org/techniques/T1412)
[T1429](https://attack.mitre.org/techniques/T1429/)
[T1432](https://attack.mitre.org/techniques/T1432/)
[T1433](https://attack.mitre.org/techniques/T1433/)

Discovery [T1421](https://attack.mitre.org/techniques/T1421/)
[T1430](https://attack.mitre.org/techniques/T1430/)
[T1426](https://attack.mitre.org/techniques/T1426/)
[T1418](https://attack.mitre.org/techniques/T1418)
[T1424](https://attack.mitre.org/techniques/T1424)

Command and Control [T1573](https://attack.mitre.org/techniques/T1573)
[T1571](https://attack.mitre.org/techniques/T1571/)


Obfuscated Files or Information
Application Discovery

Access Stored Application Data
Capture SMS Messages

Network Information Discovery
Location Tracking
Capture SMS Messages
Capture Audio
Access Contact List
Access Call Log

System Network Connections
Discovery Location Tracking
System Information Discovery
Application Discovery
Process Discovery

Encrypted Channel
Non-Standard Port


Exfiltration [T1532](https://attack.mitre.org/techniques/T1532/) Data Encrypted

**Indicators of Compromise (IoCs):**

**IOCs** **IOC type**


-----

fdb67688d92900226bf834ce67f4112f03e981611ee50e9c3102636574b05280 SHA256

hxxp[:]//tinyshort[.]icu/ Interesting
URL

45.61.137[.]7 IP
address

**About Cyble**

[Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves](https://cyble.com/)
from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide
organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator
as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the
top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia,
and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn
[more about Cyble, visit www.cyble.com.](https://cyble.com/)


-----