The advanced persistent threat (APT) group known as DoNot Team has been linked to a newly discovered Android malware variant, dubbed Tanzeem, as part of a series of highly targeted cyberattacks focused on intelligence collection.
Tanzeem Malware: A Deceptive Chat App
First identified by cybersecurity firm Cyfirma in October and December 2024, the Tanzeem and Tanzeem Update applications are designed to function as chat apps but exhibit malicious behavior upon installation.
"Although the app is supposed to function as a chat application, it does not work once installed, shutting down after the necessary permissions are granted," Cyfirma revealed in an in-depth analysis.
The naming convention suggests that the malware is intended to target specific individuals or groups, both domestically and internationally, for espionage purposes.
DoNot Team: APT Group with a Track Record of Cyber Attacks
Also known as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, the DoNot Team is a suspected India-based hacking group. It has previously leveraged spear-phishing emails and Android malware to infiltrate targeted systems and exfiltrate sensitive information.
In October 2023, DoNot Team was associated with Firebird, a previously undocumented .NET-based backdoor that targeted victims in Pakistan and Afghanistan.
How Tanzeem Malware Operates
The exact targets of the Tanzeem malware remain unclear, but its design suggests an intent to collect critical intelligence. The app deceptively presents a chat interface, urging users to click on a “Start Chat” button. Upon doing so, victims are prompted to grant permissions to the Accessibility Services API, allowing the malware to execute malicious activities in the background.
Exploiting OneSignal for Malware Distribution
One of the notable tactics used in this campaign is the exploitation of OneSignal, a legitimate customer engagement platform. OneSignal is commonly used for push notifications, in-app messaging, and email communication. However, DoNot Team is believed to be abusing this platform to send notifications containing phishing links, leading unsuspecting users to download additional malware.
Malware Capabilities: Data Exfiltration & C2 Communication
Once installed, Tanzeem malware aggressively requests access to:
✔ Call logs
✔ Contacts
✔ SMS messages
✔ Precise location data
✔ External storage files
✔ Screen recordings
✔ Account details
Additionally, the malware establishes a connection to a command-and-control (C2) server, enabling continuous data exfiltration and remote execution of commands.
Persistent Threat: Push Notification-Based Malware Delivery
Cyfirma's research uncovered a new strategy utilized by DoNot Team: leveraging push notifications to lure users into installing additional Android malware. This approach enhances the persistence of the malware on infected devices, reinforcing the threat actor’s long-term intelligence-gathering objectives.
"This tactic enhances the malware's ability to remain active on the targeted device, indicating the threat group's evolving intentions to continue participating in intelligence gathering for national interests," Cyfirma stated.
Google's Response: No Presence on Google Play
Following the discovery, Google issued a statement clarifying that no instances of the Tanzeem malware have been detected on Google Play.
"Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps exhibiting malicious behavior, even when downloaded from sources outside of Google Play."
Protect Yourself: Best Practices for Android Security
To stay protected from Android malware like Tanzeem, follow these best practices:
✅ Download apps only from trusted sources (Google Play, Amazon Appstore, Samsung Galaxy Store)
✅ Avoid granting excessive permissions to apps
✅ Enable Google Play Protect to scan for malware
✅ Be cautious of push notifications urging you to click unknown links
✅ Keep your Android OS and apps updated for security patches
✅ Use a reputable mobile security solution to detect threats
Conclusion
The DoNot Team’s Tanzeem malware highlights the evolving sophistication of cyber threats targeting Android users. By exploiting push notifications, accessibility permissions, and third-party platforms like OneSignal, APT groups continue to refine their malware delivery tactics.
Stay informed, stay protected, and adopt cybersecurity best practices to safeguard your Android device from emerging threats.