- Cyble Research and Intelligence Labs (CRIL) has identified a new version of Android malware used by the DoNot APT group, potentially targeting individuals in the Kashmir region of India.
- The DoNot APT group leverages an open-source project available on GitHub and added malicious code to weaponize the app.
- The updated malware now includes additional features such as recording VoIP calls, collecting messages from messaging and social media apps, and gathering various other types of data.
- The malware employs a command and control architecture that consists of a Firebase Cloud Messaging (FCM) server along with two other command and control (C&C) servers to maintain communication.
- The malware stores the stolen information in an SQLite database.
DoNot, also known as APT-C-35, is an Advanced Persistent Threat (APT) group that has been active since 2016. This APT group has a history of targeting government and military organizations, as well as foreign affairs ministries and embassies in South Asian countries. DoNot APT has been observed using both Windows and Android malware in its operations.
In April 2023, a security company examined an Android malware file with the hash a6d97b2f28b02193fc16d00447085c5c1338bad51ad1e20271e0f2a8d1002351 (acerchat.apk). The DoNot APT group employed this malware to target individuals in Kashmir, India. The malicious application cleverly posed as a messaging app and employed a two-layer string encryption method to obscure its true nature. The figure below shows the list of features employed by the malware:
During the same period, an enhanced version of this Android malware came to our attention. In this updated version, two-layer string encryption was eliminated, and new functionalities were introduced. These enhancements encompassed the capability to steal conversations from messaging applications, screen recording, taking photos using the device’s camera, and capturing screenshots. This revised file was also mentioned in the same article, and its hash was specified as “b2b857553e0bbf098d35198a6dead03798fcf786c086e9f50e4e1f5eaeaad5e8 (AppsUpdate.apk).”
Similar to the previous version, some of these updated malicious files posed as messaging apps, while others pretended to be settings or app update applications, and the package names included Chinese characters. The figure below depicts the features incorporated into the updated version of the malware, with the new features highlighted in red.
Cyble Research and Intelligence Labs (CRIL) recently discovered two malicious files associated with the DoNot APT group. These files are named “NapChat App 1.0.apk (a4d6c718a5978643439f9373630a72f738b763b535fa7e945e4adb5c1b75ab89)” uploaded to VirusTotal on October 9, 2023, as well as “Quran pro.apk (63879938fa7a8058d1a2d30446d0ad3b819b7f7661478ebb6f4505c456b91cc1)” uploaded on October 10, 2023. It’s worth noting that these malicious files share the same source code as the “appsUpdate.apk” file but have incorporated new functions. The figure below provides a list of features for the recent malware variant:
Both of these files were uploaded from India and are associated with the same Command and Control (C&C) servers, namely “hxxps://capsup[.]buzz” and “hxxps://toolgpt[.]buzz.” The URL “hxxps://capsup[.]buzz” is currently operational and hosted on the IP address 162.33.178[.]209, with the domain registrar being “Namesilo LLC.” It’s important to note that a similar C&C domain pattern with the “Namesilo” registrar has been observed in attacks conducted by the DoNot APT group in the past. The combination of the sample upload location, the Quran app theme, and the structure of the C&C server resembles a campaign observed in April 2023. This suggests that the malware may be used to target individuals in Kashmir, India.
As previously mentioned, the latest version of the malware has introduced several new features. These additions encompass recording VoIP calls from messaging apps, capturing clipboard contents, downloading payloads during runtime, gathering browser history, as well as collecting other Personally Identifiable Information (PII) data and ShareMe activity. Notably, in this updated version, the malware has expanded its target list to include additional messaging and social media applications. The figure below illustrates the disparities between the malware that emerged in April 2023 (on the right) and the most recently updated malware (on the left).
For our in-depth analysis, we are focusing on the most recent application, “Quran pro.apk (63879938fa7a8058d1a2d30446d0ad3b819b7f7661478ebb6f4505c456b91cc1).” This specific malicious application is a weaponized version of the legitimate “QuranApp” found on the Google Play Store. The threat actor leveraged an open-source GitHub project called “QuranApp: Read and Explore” and integrated malicious source code into it. The figure below illustrates the additional malicious code present in the “Quran pro.apk” file.
APK Metadata Information
- App Name: QuranApp
- Package Name: com.syster.serviceapp
- SHA256 Hash: 63879938fa7a8058d1a2d30446d0ad3b819b7f7661478ebb6f4505c456b91cc1
Command and Control (C&C) Server Communication
The malware employs the Firebase Cloud Messaging (FCM) server as its initial Command and Control (C&C) server to receive commands. The FCM server is responsible for various functions, including obtaining the new C&C server URL, setting up databases, deleting the application, sending text messages from the infected device, adding contacts, call log entries, and downloading the APK file.
Below, we have listed the commands received via the FCM server:
|http||Receives C&C server URL|
|ccqkupt||Sends device and network-related information|
|ccsilent||Updates “hxxps://toolgpt[.]buzz” URL as a C&C server|
|ccsmnd||Sends SMS from the infected device|
|WA||Updates WhatsApp-related shared preference settings|
|GB||Updates GB WhatsApp-related shared preference settings|
|IG||Updates Instagram related shared preference settings|
|FB||Updates Facebook related shared preference settings|
|1||Display Accessibility setting|
|cccont||Add contacts to the content provider|
|ccclg||Add call log to the content provider|
The malware stores an alternative C&C server URL in a text file named “KYLK00.txt”. The malware has two hardcoded C&C server URLs embedded in its code, namely “hxxps://capsup[.]buzz” and “hxxps://toolgpt[.]buzz.” The choice of C&C URL in the text file depends on the below scenario:
- “hxxps://capsup[.]buzz” C&C server used to send device information.
- Upon receiving the “ccsilent” command from the FCM server, the C&C server URL will be updated to “hxxps://toolgpt[.]buzz.”
- A dynamic URL can be obtained from the FCM server through the “http” command.
The malware employs the Retrofit Library for its communication with the C&C server. Within the malware, two distinct Retrofit instances are identified: one is specifically for “hxxps://capsup[.]buzz,” while the other is designated for the URL stored in “KYLK00.txt.” The first Retrofit instance is solely responsible for transmitting device information and providing responses once the malware acquires the C&C URL from the FCM server. On the other hand, the second Retrofit instance is extensively utilized throughout the malware’s code, primarily for sending various types of stolen data to various endpoints.
The implemented C&C architecture ensures that the malware can sustain communication with backup servers in case of communication failures with the current server.
Targeting Messaging And Social Media Applications
The malware uses the Accessibility service to track user interactions with messaging and social media applications. Below is a list of targeted applications, with the highlighted ones indicating the new additions in the current variant:
By employing the resource identifier of the targeted application, the malware attempts to locate user interface elements associated with calls and messages. It then extracts relevant data, including the recipient’s name, message content, message status, and timestamps.
The malware saves this extracted data from messaging and social media applications into SQLite databases. Specifically, the malware creates 22 separate databases to store each type of stolen information. The figure below illustrates the process of creating these databases.
Recording VoIP Calls
The malware has enrolled a Notification Listener service that observes notifications related to incoming/outgoing voice or video calls within specific messaging and social media applications. When the victim receives a call, the malware initiates the audio recording of that call.
After the notification for calls made through targeted applications is removed, the malware dispatches an “end” call state signal to the audio recording service class and subsequently stops the audio recording.
Downloading Payload At Runtime
As explained earlier, the malware receives a range of commands from the FCM server. Among these commands, the “ccinst” command is responsible for downloading an additional APK file titled “Resource1.apk” from the URL provided with the command received from the FCM server.
Upon obtaining the payload from the server, the malware accesses the payload component using the Dex ClassLoader. The figure below illustrates the classes loaded by the malware through the use of the “loadClass” method. While conducting dynamic analysis, we were unable to retrieve the additional payload, which could potentially introduce other malicious functionalities.
The malware stores flags corresponding to various categories of exfiltrated data in a GeoFlag database. Depending on the values of these flags, the malware transmits the stolen data to the C&C server.
Below is the comprehensive list of data that the malware can pilfer from a compromised device and sends them to the C&C server:
- Call logs
- Calendar event
- Screen recordings
- Call recordings
- Messaging and social media app conversations
- Malware captured screenshots
- Malware captured photos
- Audio recordings
- Browser history
- Clipboard content
- Device information
- Location information
- VoIP call recordings
- Account information
- Installed application information
The DoNot APT group’s persistent evolution and expansion of its Android malware capabilities reveal its determination to stay at the forefront of espionage and cyber operations. The latest variant, “Quran pro.apk,” weaponizes a seemingly innocent Quran app to infiltrate and collect a wide range of sensitive data, including VoIP call recordings and messaging app conversations. The DoNot group’s relentless efforts to refine their tools and techniques underscore the ongoing threat they pose, particularly in their targeting of individuals in the sensitive Kashmir region of India. The ever-adapting nature of cyber threats demands continued vigilance and proactive defense strategies to protect against such advanced adversaries.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Using a reputed antivirus and internet security software package is recommended on connected devices, including PCs, laptops, and mobile.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
MITRE ATT&CK® Techniques
|Event Triggered Execution: Broadcast Receivers (T1624.001)||The malware registered 4 broadcast receivers to trigger malicious actions, including the recording of incoming calls, pilfering incoming SMS messages, and auto-starting the application when the device boots up.|
|Defense Evasion (TA0030)||Download New Code at Runtime (T1407)||Malware downloads additional payload on command|
|Defense Evasion (TA0030)||Impair Defenses: Prevent Application Removal|
|Abuses accessibility service to prevent uninstallation|
|Discovery (TA0032)||System Information Discovery|
|Collects device information such as device ID, model, and manufacturer|
|Discovery (TA0032)||System Network Configuration Discovery|
|Malware collects the IP address, MAC address, SIM information, IMEI number|
|Discovery (TA0032)||Software Discovery|
|Collects installed application details|
|Collection (TA0035)||Access Notifications|
|Access notifications to start VOIP call recordings|
|Collection (TA0035)||Input Capture: Keylogging (T1417.001)||Sends keystrokes|
|Collection (TA0035)||Audio Capture|
|Records audio and calls|
|Collection (TA0035)||Clipboard Data|
|Steals clipboard content|
|Collection (TA0035)||Data from Local System|
|Collect files from storage|
|Collection (TA0035)||Location Tracking|
|Collects victim’s device location|
|Collection (TA0035)||Protected User Data: Calendar Entries|
|Collects calendar events|
|Collection (TA0035)||Protected User Data: Call Log|
|Collects device’s call log|
|Collection (TA0035)||Protected User Data: Contact List|
|Collects contacts from the infected device|
|Collection (TA0035)||Protected User Data: SMS Messages|
|Steals SMSs from infected device|
|Collection (TA0035)||Screen Capture|
|Steals recorded screen content|
|Collection (TA0035)||Stored Application Data|
|Steals conversation from messaging app by abusing Accessibility service|
|Command and Control (TA0037)||Application Layer Protocol (T1437)||Uses Firebase Cloud Messaging to receive commands|
|Exfiltration (TA0036)||Exfiltration Over C2 Channel (T1646)||Sending exfiltrated data over C&C server|
Indicators of Compromise (IOCs)
|a4d6c718a5978643439f9373630a72f738b763b535fa7e945e4adb5c1b75ab89 ea614dc5d898dbe71c080aefb3f74316d3a704ea 26850d7b5e900b2e00c8c610c1294a78||SHA256 SHA1 MD5||NapChat App 1.0.apk|
|SHA256 SHA1 MD5||Quran pro.apk|