A report by Amnesty International links an Indian cybersecurity company to an Android Spyware program to address prominent activists. The research comes from Amnesty International’s team, who confirmed a case of espionage against a Togolese activist and also observed signs of spyware deployment across several key Asian regions.

Link to an Indian Cybersecurity Organization

 As per Amnesty International, the Android spyware has been linked to Indian cybersecurity company Innefu Labs after an IP address relating to the company was repeatedly utilized for the distribution of the spyware payload.

However, the actual setup could be the work of the ‘Donot Team’ (APT-C-35), a collective of Indian hackers who have been targeting the governments in Southeast Asia since at least 2018.

Amnesty notes that it’s possible Innefu is not familiar with how its customers or other third parties are using its tool. However, an external audit could disclose everything now that full technical details have come to light.

In a written letter to Amnesty International, Innefu Labs denies any involvement with the Donot Team and the targeting of activists.

“At the outset, we firmly deny the existence of any link whatsoever between Innefu Labs and the spyware tools associated with the ‘Donot Team’ group and the attacks against a Human Rights Defender in Togo. As has already been stated by us in our previous letter, we are not aware of any ‘Donot Team’ or have any relationship with them.

In your letter dated 20.09.2021, references have been made to a Xiaomi Redmi 5A phone, which has allegedly accessed the IP address of Innefu Labs, and also of some other private VPN server to access the Ukrainian hosting company called Deltahost. We believe this phone does not belong to any person associated with Innefu Labs. Merely because our IP address has been accessed using this phone does not ipso facto conclude Innefu Labs’ involvement in any of the alleged activities” – Innefu Labs.      

Addressing all the Togo Activists

The attack on the activists start with a spontaneous message on WhatsApp, suggesting the installation of a supposedly secure chat app called ‘ChatLite.’ Having failed there, the threat actors sent an email from a Gmail account, which consists of a lace MS Word file that accomplishes an old vulnerability to drop the spyware.

In the ChatLite case, the spyware was a custom-developed Android app that permitted the threat actor to gather sensitive information from the device and fetch the additional malware tools.

For the spyware distributed through malicious Word documents, it had the following abilities:

• Take Screenshots Regularly
• Download additional spyware modules
• Hijack files from local and removable storage
• Record keystrokes

By examining the Android spyware sample, Amnesty’s researchers discover some similarities to “Kashmir_Voice_v4.8.apk” and “SafeShareV67.apk,” two malware tools linked to past the Donot Team operations.

The attackers’ opsec mistake permitted the researcher to found a “testing” server in the USA where the attackers were preserving screenshots and keylogging data from negotiated Android phones.

That’s why Amnesty first saw the Innefu Labs IP address; as otherwise, the real source was hidden behind a VPN.

Is Togo hiring Foreign Hackers?

This is the first time that the Donot Team was addressing the entities in African countries, and it could be an indication that the group is offering a ‘hacker for hire service to the governments.

Freedom House gives Togo a ‘Partly Free’ rating, with the ruling of the country being in the hands of the Gnassingbe family since 1963. The main opposition candidate, Agbeyome Kodjo, was arrested in April 2020.

Unluckily, human rights violations, targeting activists and civil liberties advocates, and crippling political pluralism are common in Togo, and according to Amnesty’s report, things are only getting worse in the African country.