DoNot, APT, Android, Spyware

DoNot APT expands its arsenal to spy on victim’s VoIP calls

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) has identified a new version of Android malware used by the DoNot APT group, potentially targeting individuals in the Kashmir region of India.
  • The DoNot APT group leverages an open-source project available on GitHub and added malicious code to weaponize the app.
  • The updated malware now includes additional features such as recording VoIP calls, collecting messages from messaging and social media apps, and gathering various other types of data.
  • The malware employs a command and control architecture that consists of a Firebase Cloud Messaging (FCM) server along with two other command and control (C&C) servers to maintain communication.
  • The malware stores the stolen information in an SQLite database.


DoNot, also known as APT-C-35, is an Advanced Persistent Threat (APT) group that has been active since 2016. This APT group has a history of targeting government and military organizations, as well as foreign affairs ministries and embassies in South Asian countries. DoNot APT has been observed using both Windows and Android malware in its operations.

In April 2023, a security company examined an Android malware file with the hash a6d97b2f28b02193fc16d00447085c5c1338bad51ad1e20271e0f2a8d1002351 (acerchat.apk). The DoNot APT group employed this malware to target individuals in Kashmir, India. The malicious application cleverly posed as a messaging app and employed a two-layer string encryption method to obscure its true nature. The figure below shows the list of features employed by the malware:

Android, APT, DoNot, Malware
Figure 1 – Features employed in the acerchat.apk file

During the same period, an enhanced version of this Android malware came to our attention. In this updated version, two-layer string encryption was eliminated, and new functionalities were introduced. These enhancements encompassed the capability to steal conversations from messaging applications, screen recording, taking photos using the device’s camera, and capturing screenshots. This revised file was also mentioned in the same article, and its hash was specified as “b2b857553e0bbf098d35198a6dead03798fcf786c086e9f50e4e1f5eaeaad5e8 (AppsUpdate.apk).”

Similar to the previous version, some of these updated malicious files posed as messaging apps, while others pretended to be settings or app update applications, and the package names included Chinese characters. The figure below depicts the features incorporated into the updated version of the malware, with the new features highlighted in red.

Android, APT, DoNot, Malware
Figure 2 – Updated variant of Android malware used by DoNot APT group

Cyble Research and Intelligence Labs (CRIL) recently discovered two malicious files associated with the DoNot APT group. These files are named “NapChat App 1.0.apk (a4d6c718a5978643439f9373630a72f738b763b535fa7e945e4adb5c1b75ab89)” uploaded to VirusTotal on October 9, 2023, as well as “Quran pro.apk (63879938fa7a8058d1a2d30446d0ad3b819b7f7661478ebb6f4505c456b91cc1)” uploaded on October 10, 2023. It’s worth noting that these malicious files share the same source code as the “appsUpdate.apk” file but have incorporated new functions. The figure below provides a list of features for the recent malware variant:

DoNot, APT, Android
Figure 3 – Recent DoNot APT Android malware with updated features

Both of these files were uploaded from India and are associated with the same Command and Control (C&C) servers, namely “hxxps://capsup[.]buzz” and “hxxps://toolgpt[.]buzz.” The URL “hxxps://capsup[.]buzz” is currently operational and hosted on the IP address 162.33.178[.]209, with the domain registrar being “Namesilo LLC.” It’s important to note that a similar C&C domain pattern with the “Namesilo” registrar has been observed in attacks conducted by the DoNot APT group in the past. The combination of the sample upload location, the Quran app theme, and the structure of the C&C server resembles a campaign observed in April 2023. This suggests that the malware may be used to target individuals in Kashmir, India.

Malicious file, DoNot
Figure 4 – Malicious files uploaded from India
Whois, C&C, DoNot
Figure 5 – Whois data of “” C&C domain

As previously mentioned, the latest version of the malware has introduced several new features. These additions encompass recording VoIP calls from messaging apps, capturing clipboard contents, downloading payloads during runtime, gathering browser history, as well as collecting other Personally Identifiable Information (PII) data and ShareMe activity. Notably, in this updated version, the malware has expanded its target list to include additional messaging and social media applications. The figure below illustrates the disparities between the malware that emerged in April 2023 (on the right) and the most recently updated malware (on the left).

DoNot, APT, Android
Figure 6 – Comparison of new and old malware variants

For our in-depth analysis, we are focusing on the most recent application, “Quran pro.apk (63879938fa7a8058d1a2d30446d0ad3b819b7f7661478ebb6f4505c456b91cc1).” This specific malicious application is a weaponized version of the legitimate “QuranApp” found on the Google Play Store. The threat actor leveraged an open-source GitHub project called “QuranApp: Read and Explore” and integrated malicious source code into it. The figure below illustrates the additional malicious code present in the “Quran pro.apk” file.

QuranApp, Malware, DoNot
Figure 7 – Comparison of weaponized and genuine QuranApp

Technical Analysis

APK Metadata Information

  • App Name: QuranApp
  • Package Name: com.syster.serviceapp
  • SHA256 Hash: 63879938fa7a8058d1a2d30446d0ad3b819b7f7661478ebb6f4505c456b91cc1
Figure 8 – Application metadata information

Command and Control (C&C) Server Communication

The malware employs the Firebase Cloud Messaging (FCM) server as its initial Command and Control (C&C) server to receive commands. The FCM server is responsible for various functions, including obtaining the new C&C server URL, setting up databases, deleting the application, sending text messages from the infected device, adding contacts, call log entries, and downloading the APK file.

FCM, Commands
Figure 9 – Receiving commands via FCM server

Below, we have listed the commands received via the FCM server:

httpReceives C&C server URL
CcdissUninstall itself
ccqkuptSends device and network-related information
ccsilentUpdates “hxxps://toolgpt[.]buzz” URL as a C&C server
ccfluptClear databases
ccsmndSends SMS from the infected device
ccinstDownloads Resource1.apk
WAUpdates WhatsApp-related shared preference settings
GBUpdates GB WhatsApp-related shared preference settings
IGUpdates Instagram related shared preference settings
FBUpdates Facebook related shared preference settings
1Display Accessibility setting
cccontAdd contacts to the content provider
ccclgAdd call log to the content provider
ccdrpDownloads file

The malware stores an alternative C&C server URL in a text file named “KYLK00.txt”. The malware has two hardcoded C&C server URLs embedded in its code, namely “hxxps://capsup[.]buzz” and “hxxps://toolgpt[.]buzz.” The choice of C&C URL in the text file depends on the below scenario:

  • “hxxps://capsup[.]buzz” C&C server used to send device information.
  • Upon receiving the “ccsilent” command from the FCM server, the C&C server URL will be updated to “hxxps://toolgpt[.]buzz.”
  • A dynamic URL can be obtained from the FCM server through the “http” command.
Figure 10 – C&C server communication

The malware employs the Retrofit Library for its communication with the C&C server. Within the malware, two distinct Retrofit instances are identified: one is specifically for “hxxps://capsup[.]buzz,” while the other is designated for the URL stored in “KYLK00.txt.” The first Retrofit instance is solely responsible for transmitting device information and providing responses once the malware acquires the C&C URL from the FCM server. On the other hand, the second Retrofit instance is extensively utilized throughout the malware’s code, primarily for sending various types of stolen data to various endpoints.

Malware, DoNot, C&C
Figure 11 – Malware using the retrofit library for C&C communication
Endpoints, Infostealer, Stolen data
Figure 12 – Endpoints used to send stolen data

The implemented C&C architecture ensures that the malware can sustain communication with backup servers in case of communication failures with the current server.

Targeting Messaging And Social Media Applications

The malware uses the Accessibility service to track user interactions with messaging and social media applications. Below is a list of targeted applications, with the highlighted ones indicating the new additions in the current variant:

  • com.facebook.orca
  • org.thoughtcrime.securesms
  • org.telegram.messenger
  • com.gbwhatsapp
  • com.whatsapp.w4b
  • com.whatsapp

By employing the resource identifier of the targeted application, the malware attempts to locate user interface elements associated with calls and messages. It then extracts relevant data, including the recipient’s name, message content, message status, and timestamps.

Figure 13 – Extracting information from the targeted messaging application

The malware saves this extracted data from messaging and social media applications into SQLite databases. Specifically, the malware creates 22 separate databases to store each type of stolen information. The figure below illustrates the process of creating these databases.

Malware, Infostealer
Figure 14 – Malware creating databases to store stolen information

Recording VoIP Calls

The malware has enrolled a Notification Listener service that observes notifications related to incoming/outgoing voice or video calls within specific messaging and social media applications. When the victim receives a call, the malware initiates the audio recording of that call.

Malware, VoIP
Figure 15 – Malware starting VoIP call recordings

After the notification for calls made through targeted applications is removed, the malware dispatches an “end” call state signal to the audio recording service class and subsequently stops the audio recording.

Figure 16 – Stopping malware VoIP call recording

Downloading Payload At Runtime

As explained earlier, the malware receives a range of commands from the FCM server. Among these commands, the “ccinst” command is responsible for downloading an additional APK file titled “Resource1.apk” from the URL provided with the command received from the FCM server.

Figure 17 – Downloading payload at runtime

Upon obtaining the payload from the server, the malware accesses the payload component using the Dex ClassLoader. The figure below illustrates the classes loaded by the malware through the use of the “loadClass” method. While conducting dynamic analysis, we were unable to retrieve the additional payload, which could potentially introduce other malicious functionalities.

Figure 18 – Loading payload components

Data Exfiltration

The malware stores flags corresponding to various categories of exfiltrated data in a GeoFlag database. Depending on the values of these flags, the malware transmits the stolen data to the C&C server.

Figure 19 –  Sending stolen data based on the flags stored in the database

Below is the comprehensive list of data that the malware can pilfer from a compromised device and sends them to the C&C server:

  • Call logs
  • Contacts
  • Calendar event
  • SMSs
  • Files
  • Screen recordings
  • Call recordings
  • Messaging and social media app conversations
  • Malware captured screenshots
  • Malware captured photos
  • Audio recordings
  • Browser history
  • Clipboard content
  • Location
  • Device information
  • Location information
  • VoIP call recordings
  • Account information
  • Installed application information


The DoNot APT group’s persistent evolution and expansion of its Android malware capabilities reveal its determination to stay at the forefront of espionage and cyber operations. The latest variant, “Quran pro.apk,” weaponizes a seemingly innocent Quran app to infiltrate and collect a wide range of sensitive data, including VoIP call recordings and messaging app conversations. The DoNot group’s relentless efforts to refine their tools and techniques underscore the ongoing threat they pose, particularly in their targeting of individuals in the sensitive Kashmir region of India. The ever-adapting nature of cyber threats demands continued vigilance and proactive defense strategies to protect against such advanced adversaries.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile.
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDProcedure
Event Triggered Execution: Broadcast Receivers (T1624.001)The malware registered 4 broadcast receivers to trigger malicious actions, including the recording of incoming calls, pilfering incoming SMS messages, and auto-starting the application when the device boots up.
Defense Evasion (TA0030)Download New Code at Runtime (T1407)Malware downloads additional payload on command
Defense Evasion (TA0030)Impair Defenses: Prevent Application Removal
Abuses accessibility service to prevent uninstallation
Discovery (TA0032)System Information Discovery
Collects device information such as device ID, model, and manufacturer
Discovery (TA0032)System Network Configuration Discovery
Malware collects the IP address, MAC address, SIM information, IMEI number
Discovery (TA0032)Software Discovery
Collects installed application details
Collection (TA0035)Access Notifications
Access notifications to start VOIP call recordings
Collection (TA0035)Input Capture: Keylogging (T1417.001)Sends keystrokes
Collection (TA0035)Audio Capture
Records audio and calls
Collection (TA0035)Clipboard Data
Steals clipboard content
Collection (TA0035)Data from Local System
Collect files from storage
Collection (TA0035)Location Tracking
Collects victim’s device location
Collection (TA0035)Protected User Data: Calendar Entries
Collects calendar events
Collection (TA0035)Protected User Data: Call Log
Collects device’s call log
Collection (TA0035)Protected User Data: Contact List
Collects contacts from the infected device
Collection (TA0035)Protected User Data: SMS Messages
Steals SMSs from infected device
Collection (TA0035)Screen Capture
Steals recorded screen content
Collection (TA0035)Stored Application Data
Steals conversation from messaging app by abusing Accessibility service
Command and Control (TA0037)Application Layer Protocol (T1437)Uses Firebase Cloud Messaging to receive commands
Exfiltration (TA0036)Exfiltration Over C2 Channel (T1646)Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
a4d6c718a5978643439f9373630a72f738b763b535fa7e945e4adb5c1b75ab89 ea614dc5d898dbe71c080aefb3f74316d3a704ea 26850d7b5e900b2e00c8c610c1294a78SHA256 SHA1 MD5NapChat App 1.0.apk
URLC&C server
SHA256 SHA1 MD5Quran pro.apk

Scroll to Top