Tanzeem Malware Used for Spying in Targeted Attacks

Tanzeem malware is being used in targeted cyber attacks to collect intelligence. A recent report links this Android malware to DoNot Team, a known hacking group.

The malware, named Tanzeem and Tanzeem Update, was discovered in October and December 2024. It appears as a chat app but does not function after installation. Instead, it shuts down after gaining the required permissions. Researchers believe it targets specific individuals or groups for intelligence gathering.

DoNot Team, also called APT-C-35, has a history of using spear-phishing emails and Android malware to spy on victims. In October 2023, the group deployed a .NET-based backdoor named Firebird against select targets in Pakistan and Afghanistan. The latest attack method remains unclear, but researchers suspect it focuses on intelligence collection.

One of the malware’s key tactics involves abusing OneSignal, a customer engagement platform. Attackers may use this tool to send notifications containing phishing links that lead to further malware installation. Regardless of how it is delivered, the app presents a fake chat screen and urges users to click “Start Chat.” This trick prompts victims to grant access to the device’s accessibility services, allowing the malware to perform malicious actions.

The malware requests access to sensitive data, including call logs, contacts, messages, locations, and stored files. It can also record screens and connect to a command-and-control (C2) server. Researchers found that it uses push notifications to encourage victims to install more malware, ensuring long-term access to infected devices.

Google’s Response

Following these findings, Google confirmed that no apps containing this malware have been found on the Google Play Store. Android users are automatically protected by Google Play Protect, which blocks or warns against known malware, even if the app is downloaded from external sources.

Preventive Measures

To stay safe, users should avoid downloading apps from unknown sources. Checking app permissions before granting access is crucial. Keeping devices updated and using security tools like Play Protect can help prevent infections.