Skip to content

Spyware-ridden Android apps target Pakistani users

  • by
  • 3 min read

A new targeted campaign has emerged in Pakistan, where individuals have fallen victim to two rogue Android apps available on the Google Play Store — iKHfaa VPN and nSure Chat.

Cybersecurity firm Cyfirma has identified the campaign as the work of a threat actor known as DoNot Team, also referred to as APT-C-35 and Viceroy Tiger, with a moderate level of confidence.

The primary objective of this espionage activity is to deceive Android smartphone users into downloading an application that extracts sensitive contact and location data from unsuspecting victims. The acquired information is then used in a subsequent stage of the attack, deploying malware with more destructive capabilities.

DoNot Team, believed to be associated with India, has been active since at least 2016 and is notorious for targeting countries in South Asia. In previous reports, Amnesty International linked the group’s attack infrastructure to an Indian cybersecurity firm called Innefu Labs. At the same time, Group-IB identified connections between DoNot Team and another Indian hacking group known as SideWinder.

Android Library in use for malicious activity. | Source: Cyfirma

The attack techniques employed by DoNot Team involve spearphishing emails containing decoy documents and files to spread malware. Additionally, the threat actor utilizes malicious Android apps disguised as legitimate utilities to further their target attacks.

Cyfirma discovered a set of applications created by a developer named SecurITY Industry, masquerading as VPN and chat apps. These apps have a low download count suggesting a highly targeted operation characteristic of nation-state actors. The apps were configured to deceive users into granting invasive permissions, such as access to contact lists and precise location information.

It is currently unclear how many victims have been affected by these rogue apps, but they are known to be based in Pakistan. Potential victims were believed to be approached through messages on platforms like Telegram and Whatsapp to entice them into installing the malicious apps.

By exploiting the trust in the Google Play Store as a legitimate source, the threat actors could distribute malware through this popular platform. As a result, users are advised to exercise caution when downloading apps and thoroughly scrutinize their sources.

Cyfirma highlights that this Android malware’s purpose appears to be gathering information for strategic planning. With access to victims’ contact lists and locations, the threat actors can orchestrate future attacks using more advanced Android malware to target and exploit their victims.

In the News: Asus patches nine vulnerabilities in WiFi routers

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: