Terror groups in Jammu and Kashmir adopt Canadian messaging app to evade Indian security services

The use of Nandbox, a messaging

Terror groups in Jammu and Kashmir adopt Canadian messaging app to evade Indian security services

Share this story

The use of Nandbox, a messaging app development platform, is likely an attempt to diversify the terror groups’ online footprint

(Source: @dfrkaul/DFRLab via Pexels)

Despite the imposition of some of the most pervasive counter-insurgency methods in the world, terror groups in Jammu and Kashmir continue to evolve their social media insurgent tactics, turning to lesser-known encrypted communication apps.

In a bid to evade scrutiny from the Indian intelligence and security agencies, the Hizbul-Mujahideen (HM) and The Resistance Front (TRF), two Islamabad-backed proxy insurgent groups, have adopted Nandbox Messenger, a Canadian messaging app and app-development platform. The insurgents use the app’s messaging features to claim real-world attacks against security services, amplify propaganda materials to their supporters, announce new recruitments, and share testimonials of slain members. The groups also use the “interactive channel” feature of the app to cross-post links to terrorist propaganda hosted on other social media platforms, including YouTube, WhatsApp, Twitter, and Telegram. At present, the use of Nandbox messenger by HM and TRF represents an attempt to diversify these groups’ online social media footprint, which may make them more resilient in the face of greater content moderation from major platforms.

The DFRLab has previously covered the advent of social media insurgent tactics by militant groups in Kashmir following the death of Burhan Wani, a local commander of Hizbul-Mujahideen (HM) a Pakistan-backed proxy terror group operating in the valley, in a counter-terror operation in 2016. Subsequently, the DFRLab continued to monitor development of these tactics in the face of pervasive physical and digital restrictions imposed by the Indian government following the unilateral abrogation of Article 370, a constitutional amendment governing the autonomy and administrative status of the state on August 5, 2019. Last year, the DFRLab highlighted the increasingly symbiotic nature between digital propaganda and real-world violence through an examination of the activities of The Resistance Front (TRF), a new terror outfit comprised of existing militant forces that carried out a series of high-profile armed attacks on Indian security services in April 2020.

Now, this new investigation reveals how local terror groups continue to evolve in the digital age, adopting lesser-known digital communication platforms to evade intelligence agencies while simultaneously augmenting their broader strategy of using of mainstream social media to propagandize, recruit, and crowdsource violence in the valley.

What is Nandbox?

Nandbox is a Canadian mobile app development platform that allows individuals without coding experience to develop their own native mobile applications using an app builder compatible with both Android and iOS operating systems.

The platform provides a drag-and-drop toolkit that allows users to create and publish custom applications. As part of its marketing, the company has created a messenger application showcasing the platform’s features. The promotional materials also encourage users to create their own applications replicating other mainstream voice-over-IP (VoIP) and Instant Messaging (IM) apps, such as Facebook, WhatsApp messenger, and Viber, a Japanese-developed encrypted messaging service. (The DFRLab reached out to Nandbox for comment on this story, but at the time of publishing has not received a response.)

Promotional materials on Nandbox website highlighting the ability for users to replicate other popular IM services. (Source: Nandbox.com/archive)

In addition to decreasing the barriers to entry for those seeking to develop mobile apps, Nandbox offers a suite of other features, including stringent privacy with contact information of account holders kept confidential, the ability to use a single phone number to create four different profiles, the creation and management of interactive channels and chat groups capable of hosting up to 10,000 members, and free voice and video call capability. While designed for legitimate users, the same features are also attractive to malicious actors seeking to evade the increased scrutiny of their on-platform activities by Indian intelligence agencies and major social media platforms. These groups appear to primarily be using Nandbox for its chat group features at this stage.

Marketing campaign for Nandbox messenger touts the suite of features offered by the app. (Source: Nandbox.com/archive)

From suicide attacks to app design

The DFRLab investigated two “interactive channels” on the Nandbox platform. The first, which we will call Group A, was created on January 12, 2021 and matched the name of the official Telegram group of Hizbul Mujahideen, a U.S.-designated Islamist terror group that seeks the complete integration of the state of Jammu and Kashmir with Pakistan. Comprised of both local and foreign forces, HM is the largest insurgent group currently operating in the valley, with its propaganda aimed at presenting itself as a largely indigenous movement seeking to overturn Indian rule. The second, Group B, was created on January 20, 2021 and belongs to The Resistance Front (TRF). TRF was the first group founded in direct opposition to the BJP-led central government unilateral revocation of Article 370 on August 5, 2019. (The DFRLab has chosen not to name these channels publicly so as to avoid directing traffic to them.)

At the time of analysis, the channels had 89 and 46 members, respectively, but the channels’ users were making attempts to recruit from other platforms and build an audience by cross-posting content.

Account bio for Group A’s interactive channel on Nandbox messenger. Some details obscured to avoid propagating the group. (Source: @dfrkaul/DFRLab via Nandbox Messenger)
Account bio for Group B’s interactive channel on Nandbox messenger. Some details obscured to avoid propagating the group. (Source: @dfrkaul/DFRlab via Nandbox Messenger)

The invite links to the new Nandbox interactive channels were initially amplified in the WhatsApp and Telegram groups used by both HM and TRF, suggesting an attempt to migrate users from these more mainstream social media platforms to services less scrutinized by Indian security and intelligence services.

Example of posts amplified on Telegram channels used by J&K terror groups sharing the invite link to the Nandbox messenger interactive channel. (Source: @dfrkaul/DFRLab via Telegram)
Example of posts uploaded on WhatsApp groups used by J&K terror groups sharing the invite link to the Nandbox messenger interactive channel. (Source: @dfrkaul/DFRLab via WhatsApp)

As part of their daily activity, both channels would regularly upload posts claiming terror attacks conducted by the respective groups. These posts included videos and graphics aimed at glamorizing the attacks as well as issuing further threats of violence against security services and local “collaborators” for providing information that may be used in counter-insurgency operations in the state. Significantly, the HM channel also posted identical graphics as well as cross-posted public statements made by TRF leadership, providing further open-source evidence of tactical and operational inter-operability between the two proxy terror groups.

Examples of posts uploaded on the interactive channel that highlighted attacks by groups, as well content that sought to glamorize violence against the Indian state. (Source: @dfrkaul/DFRLab via Nandbox Messenger)
Example of identical posts uploaded in both groups on January 22, 2021. The posts were uploaded within a minute of one another, suggesting a common administrator for both interactive channels. (Source: @dfrkaul/DFRLab via Nandbox Messenger)
Another post uploaded on the HM group amplified a public statement by the Commander of TRF. (Source: @dfrkaul/DFRLab via Nandbox Messenger)

Other posts included testimonials of members killed in counter-terror operations by Indian forces, with audio messages and video tributes dedicated to specific HM commanders killed over the course of the insurgency. This propaganda aims at deifying the fallen members while also suggesting that death in the course of violence against the state provided a pathway to celebrity.

Example of posts commemorating fallen members of the group. (Source: @dfrkaul/DFRLab via Nandbox Messenger)

Alongside testimonials, both groups also used their channels to announce new local recruits, accompanied by photographs providing the name, age, family background, and organizational affiliation of the new members. In multiple instances such recruitment posts were accompanied by audio messages from the new recruit stating their intentions to take up arms against the Indian state. Amplifying the recruitment of locals serves as a powerful form of propaganda for HM and TRF, aiding them in projecting themselves as indigenous insurgent movements with local support. By revealing the recruits’ identity, the group also reduces the chance of their early defection, as recruits will find it more difficult to return to their former lives.

Example of posts amplifying personal details of new recruits alongside audio messages from the individual publicizing their decision to join the terror group. (Source: @dfrkaul/DFRLab via Nandbox Messenger)

Finally, other posts on the group cross-post links to digital propaganda uploaded by both groups on mainstream social media platforms, including links to the HM and TRF social media accounts on Twitter, Telegram, YouTube, and lesser-known apps, such as Element Messenger (formerly known as Riot Instant Messenger).

Example of posts uploaded on the channels that cross-post links to terrorist propaganda hosted on both mainstream and lesser-known social media platforms. (Source: @dfrkaul/DFRLab via Nandbox Messenger)

HM and TRF’s recent adoption of Nandbox Messenger represents an evolution in social media insurgency tactics in J&K over time: from the growing use of major social media platforms in 2016 to the adoption of bespoke messenger applications in 2021.

At present HM and TRF appear to be using the Nandbox Messenger app as a means to diversify their online footprint, providing a backup channel in case other groups used by the organizations on more well-known social media platforms are taken down. This strategy makes these groups more resilient in the face of growing content moderation by social media platforms and greater scrutiny from Indian intelligence services.

Ayushman Kaul is a Research Assistant, South Asia, with the Digital Forensic Research Lab (@DFRLab).

Follow along for more in-depth analysis from our #DigitalSherlocks.