Cybersecurity firm Cyfirma has discovered a new Android malware campaign linked to the DoNot Team threat actor. The malware, named Tanzeem (“organization” in Urdu) and Tanzeem Update, was identified in late 2024.

The malicious apps masquerade as chat applications but become non-functional after installation and permission grants. Both variants share similar functionalities with minor UI differences.

DoNot Team, also known as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is believed to be of Indian origin. The group has a history of using spear-phishing and Android malware for intelligence gathering operations.

Key Technical Features:
– Leverages OneSignal platform for push notification delivery
– Requests extensive device permissions
– Collects sensitive data including:
– Call logs
– Contacts
– SMS messages
– Location data
– Account information
– External storage files
– Captures screen recordings
– Establishes C2 server connections

The malware employs a sophisticated persistence mechanism through push notifications, prompting users to install additional malicious components. While specific targets remain unclear, the campaign appears focused on gathering intelligence against internal threats in Pakistan and Afghanistan.

This development follows the group’s earlier deployment of the Firebird backdoor in October 2023, demonstrating their continued evolution in cyber espionage capabilities.