According to an investigation by Amnesty International, an Indian cybersecurity firm has links to an Android spyware program used to target well-known activists.
Amnesty International’s team conducted the study after discovering evidence of espionage against a Togolese activist and indicators of spyware deployment in many important Asian territories.
The Android malware has been traced to an Indian cybersecurity firm, Innefu Labs, according to information gathered by Amnesty International who says an IP address belonging to the firm was regularly used to disseminate the spyware payload.
On the other hand, the actual deployment might be the work of the ‘Donot Team’ (APT-C-35), an Indian hacking gang targeting Southeast Asia governments since at least 2018.
It’s conceivable that Innefu isn’t aware of how its clients or third parties are employing its products. However, now that all technical details have been revealed, an external audit may disclose everything.
Innefu Labs denies any connection with the Donot Team or the targeting of activists in a note to Amnesty International.
The activists were targeted after receiving an unsolicited message on WhatsApp recommending the installation of an allegedly safe chat application called ‘ChatLite.’
After failing there, the attackers sent an email from a Gmail account containing a laced MS Word file with malware that exploited an outdated vulnerability.
The spyware in the ChatLite instance was a custom-built Android app that allowed the attacker to capture sensitive data from the device and download other malware tools.
The malware delivered through a malicious Word document has the following features:
- Record keystrokes
- Steal files and information from both local and removable storage
- Take frequent screenshots
- Download more spyware modules
Amnesty’s experts discovered many similarities between the Android spyware sample and “Kashmir Voice v4.8.apk” and “SafeShareV67.apk,” two malware programs related to previous Donot Team operations.
The investigators discovered a “testing” site in the United States. Here, the threat actors were keeping screenshots and keylogging data from infected Android phones, thanks to the threat actor’s opsec error.
Amnesty International initially noticed the Innefu Labs IP address here. Otherwise, the real source was hidden by a virtual private network (VPN).