Malicious Android apps leveraged in Indian APT’s spyware campaign

BleepingComputer reports that Indian state-sponsored hacking operation DoNot, also known as APT-C-35, has leveraged three Android apps published by SecurITY Industry on the Google Play Store as part of a spyware campaign aimed at facilitating intelligence-gathering efforts. Questionable permissions, including those for accessing device contact lists and precise location data, are being sought by two of the discovered malicious apps, "nSure Chat" and "iKHfaa VPN," enabling the exfiltration of such data that is stored through Android's ROOM library prior to HTTP request-based delivery to DoNot's command-and-control server, according to a Cyfirma report. Further analysis revealed that nSure Chat has the same server address as the one leveraged in Cobalt Strike intrusions last year, while iKHfaa VPN had a code base copied from the Liberty VPN app. Meanwhile, such a campaign has been attributed to DoNot based on the utilization of Proguard obfuscation and AES/CBC/PKCS5PADDING algorithm-based encrypted strings. The report also noted DoNot's transition to WhatsApp- and Telegram-based spear phishing attacks.