A recent publication by CYFIRMA highlighted a sophisticated Android malware campaign linked to the Donot Advanced Persistent Threat (APT) group. The attackers use malicious apps and domains to distribute spyware capable of stealing sensitive user information and gaining unauthorized access to devices. These campaigns demonstrate a high degree of sophistication, including custom-built malware and the exploitation of legitimate services to avoid detection.
The original report disclosed two malicious samples used by Donot. Zimperium’s Mobile Threat Defense (MTD) solution provides comprehensive zero-day protection against these samples, detecting and blocking malicious apps and network activity on mobile devices. Our machine learning classifiers were capable of identifying the behaviors associated with this malware even before it was disclosed. As part of our ongoing commitment to user protection, we have identified 17 additional malicious apps and 9 domains associated with this campaign.
The discovery of these additional IOCs underscores Zimperium’s proactive threat intelligence capabilities and dedication to extending protection beyond the known attack surface. These updates ensure our users remain secure against evolving APT campaigns. The extended IOC list is available in the following Github repository.
For more details on the Donot APT operation, read CYFIRMA’s full report here.
