An Amnesty International report links an Indian cybersecurity company to an Android spy program used to target high profile activists.
The investigation comes from the Amnesty International team, which confirmed a case of espionage against a Togolese activist and also observed signs of spyware deployment in several key regions of Asia.
According to Amnesty International, the Android spyware has been linked to Indian cybersecurity company Innefu Labs after a company-owned IP address was repeatedly used for the distribution of the spyware payload.
However, the actual deployment could be the work of the “Donot Team” (APT-C-35), a collective of Indian hackers who have been targeting governments in Southeast Asia since at least 2018.
Amnesty notes that Infu may not be aware of how its customers or other third parties use its tools. However, an external audit could reveal everything now that all the technical details are known.
In a letter written to Amnesty International, Innefu Labs denies any involvement with the Donot team and the targeting of activists.
“From the outset, we firmly deny the existence of any link whatsoever between Innefu Labs and the spyware tools associated with the ‘Donot Team’ group and the attacks against a human rights defender in Togo. As we have already seen. indicated in our previous letter, we are not aware of any “Donot team” or have any relationship with them.
In your letter of 20.09.2021, reference was made to a Xiaomi Redmi 5A phone, which allegedly accessed the IP address of Innfu Labs, as well as another private VPN server to access the hosting company. Ukrainian called Deltahost. We believe this phone is not owned by anyone associated with Innefu Labs. The mere fact that our IP address was consulted using this phone does not ipso facto conclude the involvement of Infu Labs in any of the alleged activities “- Innefu Labs.
TechToSee has contacted Innefu Labs several times since yesterday morning but has not received a response.
Target Togolese activists
The attack on the activists began with an unsolicited message on WhatsApp, suggesting the installation of a supposedly secure chat application called “ChatLite”.
After failing there, the attackers sent an email from a Gmail account, containing a laced MS Word file that exploits an old vulnerability to remove spyware.
In the case of ChatLite, the spyware was a custom developed Android application that allowed the attacker to collect sensitive data from the device and retrieve additional malicious tools.
For spyware distributed via malicious Word document, it had the following capabilities:
- Record keystrokes
- Take screenshots regularly
- Steal files from local and removable storage
- Download additional spyware modules
By analyzing the Android spyware sample, Amnesty investigators found several similarities to “Kashmir_Voice_v4.8.apk” and “SafeShareV67.apk”, two malicious tools linked to previous Donot Team operations.
The threatening actor’s opsec error allowed investigators to discover a “test” server in the United States where malicious actors were storing screenshots and keylogging data from compromised Android phones.
This is where Amnesty first saw the IP address of Innfu Labs, otherwise the real source was hiding behind a VPN.
Togo is recruiting foreign hackers?
This is the first time that the Donot team has been spotted targeting entities in African countries, and it could be a clue that the group is offering “hire hacking” services to governments.
Freedom House gives Togo a “Partially free” rating, the country’s government being in the hands of the Gnassingbé family since 1963. The main opposition candidate, Agbéyomé Kodjo, was arrested in April 2020.
Sadly, human rights abuses, targeting of activists and civil liberties defenders, and crippling political pluralism are common in Togo, and according to Amnesty’s report, things are only getting worse in this African country.
- This malware claims to be Amnesty International’s protection against Pegasus
- Amnesty International’s fake Pegasus scanner used to infect Windows
- Apple Releases Emergency Security Updates To Close “Zero Click” Pegasus Spyware Flaw
- Apple fixes iOS zero day used to deploy iPhone NSO spyware
- iOS 14.8 and other emergency software updates from Apple block invasive spyware