A Pakistan-aligned threat actor has been observed using fake Android apps mimicking YouTube to distribute the CapraRAT backdoor in a new cyber espionage campaign.

The group known as Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) largely targets Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan.

The CapraRAT mobile access trojan is believed to be a modified version of the open-source AndroRAT malware that was first detailed by Trend Micro in February 2022 and which exhibits overlaps with a Windows malware known as CrimsonRAT, known to be used only by Transparent Tribe.

CapraRAT comes with a variety of features, including the ability to record with the microphone, front and rare cameras, collect messages and call logs, send SMS messages and block incoming SMS, make phone calls, take screen grabs, override system settings, modify files on the device’s filesystem.

The most recent group’s campaign observed by SentinelLabs researchers involves several malicious APKs distributed outside of Google Play named “YouTube” and “Piya Sharma.” These APKs were uploaded to VirusTotal in April, July, and August 2023, the researchers said.

Upon installation, the malicious apps request numerous permissions, including those not relevant to the apps’ expected behavior like permission to read text messages or modify or delete the contents of an SD card.

“The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media. Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat,” the researchers advised.