As part of highly targeted cyberattacks, DoNot Team was connected to a new Android malware. Cybersecurity firm Cyfirma discovered the artifacts in question in October and December of

2024.

With the exception of small UI changes, it has been discovered that the apps in question have the same features. Although the precise targets of the most recent malware are still unknown, it is believed that they were targeted in order to obtain intelligence against internal threats. Google Play Protect, which is enabled by default on Android devices with Google Play Services, automatically protects Android users against known versions of this malware.

In order to collect call logs, contacts, SMS messages, exact locations, account information, and files stored on external storage, the app also asks for access to a number of sensitive permissions. There are currently no apps on Google Play that contain this malware, according to our detection. The malware, also known as APT-C-35, Origami Elephant, SECTOR02, and Viceroy Tiger, is thought to have been created by DoNot Team.

Previous attacks have used spear-phishing emails and Android malware families to obtain relevant data. The threat actor was connected to an unreported incident in October

2023.Firebird is a NET-based backdoor that targets a small number of victims in Afghanistan and Pakistan.

Whether the malware is being used against people or organizations both domestically and abroad is unclear. It is currently unknown whether the threat group intends to continue gathering intelligence for the benefit of the country. You can download the most recent version of the malware from the Google Play Store.