DoNot APT Hackers Deploy Android Malware Apps on Google Play

DoNot APT Hackers Deploy Android Malware Apps on Google Play, Under the account name “SecurITY Industry,” the CYFIRMA team successfully identified dubious Android apps on the Google Play Store.

The app’s true nature has been unveiled, revealing its malware traits and its affiliation with the “DoNot” APT group

Security analysts have recently identified that the threat actor is actively using Android payload to target people in Pakistan.

However, the motives driving their cyber attacks in South Asia remain uncertain.

Collecting information using the initial payload and then using that information for the next-stage second attack using more powerful malware features is the attack’s primary goal.

Suspicious Apps

Here below, we have mentioned all the suspicious apps from SecurITY Industry on the Google Play Store:-

  • nSure Chat
  • iKHfaa VPN
  • Device Basics Plus
security industry

Among these three suspicious apps, two of them have malicious characteristics, and here they are mentioned below:-

  • nSure Chat
  • iKHfaa VPN

Android Malware Apps on Google Play

Utilizing the clean and unsuspecting Android libraries, the threat actors manipulated them to retrieve the compromised victim’s contacts and location.

By replicating the code of a renowned VPN service provider, iKHfaa VPN introduced extra libraries to perform malicious activities discreetly.

When the iKHfaa VPN is installed, a notification prompts the user to grant permission for location access. 


Improper changes made to the app are apparent on the “about us” page, which explicitly mentions the app’s actual name in its content.

Apart from this, the malicious nSure Chat app presents a screenshot after the installation of the app and opening it. If the user chooses to skip the Chat page, the app will prompt them to grant permission for contact access.


Now if the user skips the signup page, they will be automatically directed to the login or signup section of the application.

The cybersecurity researchers conducted an in-depth code analysis by decompiling the apps and discovered that with restricted permissions, the threat actor performed all the malicious actions.

The iKHfaa VPN app secretly included RoomDB and Retrofit Libraries to save data and retrieve contacts and exact locations for the web-based control server, which also serves as the official app website.


Here below, we have mentioned the most dangerous permissions that are asked:-

  • ACESS_FINE_LOCATION: Allows the threat actor to fetch precise locations and track the live movement of mobile phones.
  • READ_CONTACTS: This permission allows the threat actor to read and fetch contacts.

If the GPS feature is enabled, the iKHfaa VPN module can determine the compromised victim’s exact location.

Without that, it captures and stores the compromised device’s last recorded location.


The decompiled code of iKHfaa VPN reveals the integration of the ROOM Library, which is part of the Android Jetpack suite.

Upon inspecting the decompiled code of the nSure Chat app, it is revealed that retrofit is utilized to establish communication with the domain and port configured within the application.

Security analysts discovered the communication between the app and port 4000 after analyzing the live traffic of the nSure Chat app. While this communication is linked to the encrypted domain using the free service of Let’s Encrypt. 


Profile of the Threat Actor

The below image is the complete profile of the “DoNot” APT threat actor:-


Moreover, this Android malware has been intentionally crafted to gather information by the DoNot APT actors.

When the threat actor gains access to the contact lists and locations of the victims, they can plan further attacks.

Then to target and exploit the victims, they use Android malware equipped with sophisticated features.

“These apps have been removed from Google Play and the developer has been banned. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources.” Cyber Security News learned from Google spokesperson “Ed Fernandez”.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.