The hacking group (DoNot) uses a new malware downloader for Android called Firestarter, which uses a legitimate messaging service from Google to bypass the detection.
DoNot uses a multi-platform cloud messaging and notification solution for Android, iOS, and Web Applications (FCM), provided by Firebase, a subsidiary of Google.
Firestarter uses a cloud solution (FCM) as a communication mechanism to DoNot’s C2 servers, helping to avoid detection of group activities.
Researchers at Cisco Talos said: Our research revealed that DoNot was testing new technologies to maintain a foothold within the victim’s devices.
They added: These experiences are a sign of how intent the group is to continue operating, despite its vulnerability, making it a particularly dangerous actor operating in the espionage zone.
DoNot focuses on India and Pakistan, and is known to target Pakistani government officials and Kashmiri not-for-profit organizations.
And researchers said: Users are being urged to install the malicious application within the device, and this is likely to be done through direct messages that use social engineering.
And once they open the app – which is purported to be a chat platform, users receive a message stating that chats are constantly loading, that the app is not supported, and that the uninstall process is in progress.
The icon is removed from the user interface as soon as the uninstall message appears, although it still appears in the applications list in the phone settings.
In the background, the malicious application tries to download the code using the FCM solution.
According to Firebase, FCM implementation includes two main components for sending and receiving messages.
This includes an application server with which messages can be created, targeted, and sent; The iOS, Android, or web app gets the messages.
The malicious application sends an FCM code to the C2 server with various information about the device, including geolocation, IP address, IMEI, and victims’ email address, allowing operators to specify that the victim should receive the code.