The world of cybersecurity is constantly evolving, with cybercriminals developing new tactics and techniques to infiltrate devices and networks. One such recent development is the increasing use of fake Android VPN applications, posing a significant threat to online safety.

These malicious applications, disguised as legitimate software, often trick users into granting them access to sensitive information. Their nefarious purpose was recently highlighted when cybersecurity firm Cyfirma discovered three Android apps that were being used for intelligence gathering by state-sponsored threat actors. These apps, linked to the Indian hacking group “DoNot,” also known as APT-C-35, were employed to harvest data such as location data and contact lists from targeted devices.

The fake VPN application, iKHfaa VPN, was among the two applications uploaded on Google Play by ‘SecurITY Industry’. While the download count for these applications was relatively low, indicating selective use against specific targets, the permission requests raised serious concerns. They sought access to users’ contact lists and precise location data, which were then exfiltrated to the hackers.

In an unsettling revelation, Cyfirma’s analysts found that the code base for the malicious VPN app was directly taken from the legitimate Liberty VPN product. This shows a high level of sophistication and deceit in the threat actors’ methods, making them harder to detect and increasing the damage potential.

The Lurking Danger of Spyware Disguised as Chat Apps

In parallel with the threat posed by fake VPN apps, another form of deception is being utilized by cybercriminals: chat applications. In the same operation attributed to DoNot, a fake chat app called nSure Chat was used to prepare the ground for more dangerous malware infections, forming the first stage of the threat group’s attacks.

Much like the fake VPN apps, the malicious chat app requested risky permissions during installation, enabling the hackers to collect and exfiltrate sensitive information. In an insidious twist, the app used Android’s ROOM library to store data locally before sending it to the attacker’s command and control (C2) server via an HTTP request.

The ability of these malicious apps to pose as legitimate tools, combined with the legitimacy granted by their presence on the Google Play store, highlights an escalating threat in the realm of cybersecurity. Victims are not only more likely to trust and download these apps but are also at a higher risk of exposing sensitive information, thus amplifying the damage caused by such attacks.

Understanding DoNot’s Modus Operandi: From Phishing Emails to Spear Messaging

A deeper understanding of the tactics employed by threat groups like DoNot is essential in mitigating the risks posed by such cyber-espionage operations. In this case, DoNot appears to have shifted its strategy from sending phishing emails with malicious attachments to a more subtle and effective tactic: spear messaging attacks via popular messaging platforms like WhatsApp and Telegram.

Direct messages sent through these platforms encourage victims to download the malicious apps from the Google Play store, a trusted platform that lends credibility to the operation. This way, even the most cautious users can be easily tricked into unknowingly facilitating the hackers’ objectives.

Furthermore, Cyfirma’s attribution of the campaign to DoNot is based on the use of encrypted strings utilizing the AES/CBC/PKCS5PADDING algorithm and Proguard obfuscation, tactics previously associated with this group. Additional clues such as the naming of certain files further solidify the connection to past DoNot campaigns.

The Importance of Trusting Reliable VPNs: A Defense Against Cyber Threats

Given the rising threat posed by fake VPNs, users must be vigilant and opt for reliable, tested, and reputable VPNs. These VPNs offer robust security measures and transparent privacy policies, minimizing the risk of falling victim to cyber-espionage operations. Here, we examine three reliable VPNs in the market: PrivateVPN, NordVPN, and ExpressVPN.

An Inside Look at the Encryption and Obfuscation Techniques of DoNot

Examining the intricacies of DoNot’s operations provides vital insights into their encryption and obfuscation techniques, facilitating a more comprehensive understanding of how these cybercriminals operate.

The malicious apps involved in the DoNot campaigns have been observed to utilize encrypted strings, specifically using the AES/CBC/PKCS5PADDING algorithm. This sophisticated encryption method is known for its enhanced security and is difficult to crack, especially without the specific decryption key. This allows the threat actors to keep their communication and data hidden, making it challenging for cybersecurity experts to detect their activities.

Additionally, these apps employ Proguard obfuscation, a technique commonly used in legitimate software to protect intellectual property and improve efficiency. In this context, however, it’s used to conceal the malicious intent of the apps, complicating the process of threat detection and analysis.

These techniques underscore the extent to which the DoNot group will go to keep their operations covert and maintain their grip on their targets’ devices.

The Evolving Targets and Impact of DoNot’s Campaigns

Despite our growing knowledge about DoNot’s strategies and techniques, less is known about their specific targets. In this recent campaign, it has been established that the victims are based in Pakistan. However, given the history of DoNot’s operations, their targets have often been high-profile organizations in Southeast Asia.

This group’s operations, while sophisticated, are also highly selective. The low download count of their malicious apps indicates a strategy of targeting specific individuals or organizations rather than large-scale, indiscriminate attacks. The ultimate purpose of these attacks may range from data theft to corporate espionage, wreaking havoc in the lives of individuals and potentially causing significant disruption in the operations of organizations.

Ensuring Cybersecurity Amidst Escalating Threats

As the sophistication and covert nature of cyber-espionage operations continue to escalate, maintaining robust cybersecurity measures has become an imperative. Users need to be extra vigilant about the applications they install, especially when they ask for sensitive permissions. Not all apps that appear on trusted platforms like Google Play are secure, and discerning their true nature requires a certain level of cybersecurity awareness.

Remember, granting permissions to access location data, contact lists, or other sensitive information should always be done sparingly and only to trusted apps from reputable developers. Keeping your mobile devices updated with the latest security patches and using reliable security solutions can also significantly reduce the risk of falling victim to such threats.

In the face of rising threats, developing a cybersecurity culture, both on an individual level and within organizations, is key. Education about phishing techniques, suspicious app behaviors, and the importance of regular system updates should be emphasized. In the fight against cyber threats, awareness, and vigilance are our most potent weapons.

Final Thoughts

The rising menace of fake VPNs and chat apps disguised as spyware points to an evolving cybersecurity landscape where threats are becoming more complex and deceptive. As we have seen with the DoNot threat group’s operations, cybercriminals are continually refining their techniques, making their attacks more targeted and harder to detect.

While this might seem daunting, remember that staying informed and adopting reliable tools are your best line of defense. Opting for trustworthy VPNs like PrivateVPN, NordVPN, and ExpressVPN can significantly enhance your online security, making it harder for threat actors to infiltrate your devices.

At the end of the day, cybersecurity is an ongoing journey. As cyber threats evolve, so too should our defenses. Staying aware, vigilant, and informed can help us navigate this challenging landscape, ensuring our data and online activities remain secure.


The DoNot threat group, also known as APT-C-35, is a state-sponsored hacking group linked to India. It’s known for its sophisticated cyber-espionage campaigns, targeting high-profile organizations in Southeast Asia since at least 2018. The group’s tactics include the use of fake VPN and chat apps to gather sensitive information from targeted devices.

The fake apps infiltrate devices by disguising themselves as legitimate apps on trusted platforms like Google Play. They trick users into granting risky permissions such as access to location data and contact lists. The collected information is stored locally and later sent to the attacker’s C2 server.

DoNot has shifted from sending phishing emails to spear messaging attacks via platforms like WhatsApp and Telegram. Victims are directed to the Google Play store to download the malicious apps. The group uses advanced encryption and obfuscation techniques to keep their operations covert.

Given the rising threat of fake VPN apps, it’s crucial to use reliable VPNs that offer robust security measures and transparent privacy policies. VPNs like PrivateVPN, NordVPN, and ExpressVPN are recommended due to their high security standards and performance.

Users can protect themselves by being cautious about the apps they install, especially those asking for sensitive permissions. Regular system updates, using reliable security solutions, and opting for trustworthy VPNs can significantly enhance security. Additionally, staying informed about evolving cyber threats is crucial.