DoNot APT Group, also known as APT-C-35, is an Advanced Persistent Threat (APT) group targeting government-related organizations. DoNot has a reputation for carrying out APT attacks against India, Pakistan, Argentina, and countries in South Asia. This group mainly spreads malware using malicious programs developed in C++, Python, .NET, and other languages.

DoNot APT mainly spreads malware via spear-phishing emails containing malicious documents and files. In addition to spreading malware via spear-phishing emails with attachments that contain either a vulnerability or a malicious macro, this APT group leverages malicious Android APKs in their target attacks. 

Android-based Spyware applications are often disguised as system tools and in some cases as fake apps, counterfeit mobile games, and fake news apps. Post installation, these apps perform Trojan functions in the background and can remotely control the victim’s system, besides stealing confidential information from the targeted device. 

During our Open-Source Intelligence (OSINT) research, Cyble researchers found a malware sample of the DoNot APT group posted on Twitter. Upon analyzing the malware sample, the Cyble Research Lab discovered that it is a fake app disguised as a legitimate messaging app that collects sensitive information from the victim’s device.

The APT group uses the deobfuscation code along with some packers within the application to conceal malicious functionalities. This prevents the spyware from being detected during the static analysis of the app.

Technical Analysis:
We performed the technical analysis of an APK, with the following hash value: 
fdb67688d92900226bf834ce67f4112f03e981611ee50e9c3102636574b05280. 

App name: Mecaller.apk

Package name: com.chat.nsgnest

Some of the applications’ permissions, activities, and services that may be used to perform malicious activities are listed below: 

Permissions: 

• android.permission.READ_CALENDAR
• android.permission.PROCESS_OUTGOING_CALLS
• android.permission.ACCESS_COARSE_LOCATION
• android.permission.INTERNET
• android.permission.ACCESS_FINE_LOCATION
• android.permission.READ_CALL_LOG
• android.permission.WRITE_EXTERNAL_STORAGE
• android.permission.RECEIVE_SMS
• android.permission.AUTHENTICATE_ACCOUNTS
• android.permission.CALL_PHONE
• android.permission.READ_PHONE_STATE
• android.permission.READ_SMS
• android.permission.RECORD_AUDIO
• android.permission.READ_CONTACTS

Activities: 

• ime.serviceinfo.app.MainActivity
• ime.serviceinfo.app.qsharehong.qsharelackhong

Services: 

• ime.serviceinfo.app.qsynchong.qSyncServicehong
• ime.serviceinfo.app.qsynchong.qAuthenticatorServicehong
• ime.serviceinfo.app.qaleolehong.qdcerthong
• ime.serviceinfo.app.qaleolehong.qnqwerhong
• ime.serviceinfo.app.qstunthong.qSensorServicehong
• ime.serviceinfo.app.qsharehong.qsttrServicehong
• ime.serviceinfo.app.qsharehong.qServicehong
• ime.serviceinfo.app.qaleolehong.qhepjshong
• ime.serviceinfo.app.qhelphong.qgarohong
• ime.serviceinfo.app.qaihihihong.tknnotify.sfsSr

We also performed a dynamic analysis and discovered that the app has an emulator check that avoids running the app in an emulator or VirtualBox, and only runs this app on legitimate devices. Further, on bypassing the scripts using Frida and on loading the application, it displays a message as shown in the figure below.

Figure 1 Error Message from The App on Loading It Through Frida Scripts

Using the same Frida scripts and on loading the various activities, the app requests users to enable the accessibility service and on activating, it displays the below message as shown in Figure 2.

Figure 2 – Message displayed on turning on the Accessibility Service

The malware then initiates malicious behavior from the application main class, “ime.serviceinfo.app.MainActivity“. The entry point of the app is this class, which gets executed at first when the user starts the application.

Using the above permissions granted from users, the following data is fetched from the devices:  

• Tracking the user’s location along with network operator details, device location, latitude, and longitude from the compromised device.

Figure 3 Code to track the location of the device with Latitude and Longitude

• Checking for the availability of internet connection from the device to collect the network and connectivity information.

Figure 4 Checks for Internet connection Availability

• The application also has the capability to record audio and collect media files from the infected device without the user’s knowledge.

Figure 5 Code to Record Audio/Media Files from the Infected Device

• Sending text messages using permissions and SMS manager.

Figure 6 Sends text Messages using SMS Manager and Android Permissions

• Tracking the Service/Receiver that are registered post device reboot.

Figure 7 Registers the service/receiver on phone reboot

• After the accessibility service is enabled, the application launcher icon is removed from the main screen, thereby allowing the app to stay hidden.

Figure 8 Hides the Application launcher Icon from View

• Collecting the information on the running application processes or tasks.

Figure 9 Collects list of running processes

• Verifying the infected device fingerprint, hardware, and model to find out whether the application is executed through emulator or through VirtualBox. If it is executed through emulator, the application will not be performing any malicious activity to avoid any kind of detection.

Figure 10 Code to detect the analysis device (Emulator Check)

• Monitoring the device phone number from both outgoing and incoming calls using broadcastreceiver and storing the collected data into “CallLogs.txt“.

Figure 11 Code that queries phone numbers from incoming and outgoing calls

Figure 12 Code that monitors and collects call logs

• Monitoring the incoming messages, creating Protocol data unit (PDU), intercepting SMSes to collect information from them and storing the information in “sms.txt“.

Figure 13 Code that monitors and collects SMS data

Figure 14 Stores the collected SMS data

• Collecting phone contacts from the infected device and storing it in “contacts.txt” file.

Figure 15 Collects and stores Phone contacts

• Along with the above sensitive information, this malicious app has the code to fetch stored mail accounts and application accounts like Gmail, WhatsApp, besides storing the information in “accounts.txt“.

Figure 16 Code that collects and stores mail, application accounts

• Base64 Encryption technique used in multiple classes and methods.

Figure 17 Encrypted strings using Base64 encryption technique

Upon decrypting the encrypted strings, we were able to determine that the data being collected by this app is sent to the C2 link through which the application communicates and uploads the information to the server.

C2 Server: hxxp[:]//tinyshort[.]icu/

CONCLUSION:

Spyware apps have been around for a long time, yet they still pose a significant threat to sensitive data on victim devices. The APT groups responsible for creating the spyware are constantly adapting and using various encryption techniques to avoid detection. This makes removal of the spyware nearly impossible, thus users should exercise caution while installing applications.

SAFETY RECOMMENDATIONS:

• Keep your anti-virus software updated to detect and remove malicious software. 
• Uninstall the application if you find this malware in your device. 
• Keep your system and applications updated to the latest versions. 
• Use strong passwords and enable two-factor authentication. 
• Download and install software only from trusted sites and official app stores. 
• Verify the privileges and permissions requested by apps before granting them access. 
• People concerned about the exposure of their stolen credentials in the dark web can register at AmIBreached.com to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic	Technique ID	Technique Name
Defense Evasion	T1406   T1418	Obfuscated Files or Information   Application Discovery
Credential Access	T1409   T1412	Access Stored Application Data   Capture SMS Messages
Collection	T1507   T1430   T1412  T1429  T1432  T1433	Network Information Discovery   Location Tracking   Capture SMS Messages  Capture Audio  Access Contact List  Access Call Log
Discovery	T1421  T1430  T1426  T1418  T1424	System Network Connections Discovery  Location Tracking    System Information Discovery   Application Discovery  Process Discovery
Command and Control	T1573  T1571	Encrypted Channel   Non-Standard Port
Exfiltration	T1532	Data Encrypted

Indicators of Compromise (IoCs): 

IOCs	IOC type
fdb67688d92900226bf834ce67f4112f03e981611ee50e9c3102636574b05280	SHA256
hxxp[:]//tinyshort[.]icu/	Interesting URL
45.61.137[.]7	IP address

About Cyble 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.