CYFIRMA warns of malicious Android apps on Google Play Store

CYFIRMA warns of malicious Android apps on Google Play Store

Cybersecurity firm CYFIRMA has reportedly made a significant discovery regarding suspicious Android apps available on the Google Play Store. The apps were found under the account name "SecurITY Industry" and were flagged for containing malware characteristics.

Upon further investigation, CYFIRMA determined that the malicious apps were associated with the notorious Advanced Persistent Threat (APT) Group called "DoNot ". It previously targeted individuals in the Kashmir region. The focus is now shifted to individuals in Pakistan, although the motive behind these cyberattacks remains unknown.

For the record, DoNot has previously employed spear phishing attacks through malicious Word documents, but this recent shift showcases a strategy centered around enticing victims through messaging platforms such as WhatsApp and Telegram, pushing them to install the malicious apps from the Play Store.

CYFIRMA's analysis revealed that the attackers aimed to gather information through a stager payload in the initial stage of the attack. This information would then be utilized for a second-stage attack, involving the deployment of more dangerous malware.

The firm identified three apps for Android hosted by the "SecurITY Industry" account on the Google Play Store: nSure Chat, Device Basic Plus, and iKHfaa VPN. Among these, nSure Chat and iKHfaa VPN displayed malicious characteristics. These apps are disguised and utilize innocent Android libraries for extracting contacts and location of compromised victims. iKHfaa VPN has a code copied from a legitimate VPN service provider and incorporated additional libraries to carry out malicious activities.

Through further code analysis, CYFIRMA discovered that the threat actor employed Proguard obfuscation techniques and AES/CBC/PKCS5PADDING encryption to hide the apps' malicious nature. By exploiting the trust users place in the Play Store, these threat actors significantly increase the chances of successful compromises.

The specific victims targeted by this Android malware in Pakistan remain largely unidentified. However, based on the malware's characteristics and access, it can be inferred that the threat actor's intention is to gather information for future attacks utilizing more advanced malware.


Source Credit:

About the author

Pooja Sharma

Pursuing her professional career as a content writer for over two years now, Pooja Sharma is endowed with a post-graduate degree in English Literature. The articles that she writes are a balanced blend of her ever-growing love of language and the technical expertise that she has gained over the years. Currently Pooja pens insightful articles for Newsorigins and numerous other websites, covering subjects such as business, finance, and technology.