19 September 2023

Transparent Tribe APT spreads CapraRAT malware via fake YouTube Android apps


Transparent Tribe APT spreads CapraRAT malware via fake YouTube Android apps

A Pakistan-aligned threat actor has been observed using fake Android apps mimicking YouTube to distribute the CapraRAT backdoor in a new cyber espionage campaign.

The group known as Transparent Tribe (APT36, Mythic Leopard, ProjectM, Operation C-Major) largely targets Indian entities and assets. Transparent Tribe has also been known to target entities in Afghanistan and social activists in Pakistan.

The CapraRAT mobile access trojan is believed to be a modified version of the open-source AndroRAT malware that was first detailed by Trend Micro in February 2022 and which exhibits overlaps with a Windows malware known as CrimsonRAT, known to be used only by Transparent Tribe.

CapraRAT comes with a variety of features, including the ability to record with the microphone, front and rare cameras, collect messages and call logs, send SMS messages and block incoming SMS, make phone calls, take screen grabs, override system settings, modify files on the device’s filesystem.

The most recent group’s campaign observed by SentinelLabs researchers involves several malicious APKs distributed outside of Google Play named “YouTube” and “Piya Sharma.” These APKs were uploaded to VirusTotal in April, July, and August 2023, the researchers said.

Upon installation, the malicious apps request numerous permissions, including those not relevant to the apps’ expected behavior like permission to read text messages or modify or delete the contents of an SD card.

“The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media. Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat,” the researchers advised.


Back to the list

Latest Posts

North Korea’s Lazarus adds new LightlessCan backdoor to its arsenal

North Korea’s Lazarus adds new LightlessCan backdoor to its arsenal

The hackers posed as a recruiter from Meta to gain access to the network of an aerospace firm.
2 October 2023
Critical Exim flaws put millions of servers at risk of hacker attacks

Critical Exim flaws put millions of servers at risk of hacker attacks

The vulnerabilities could allow attackers to breach the servers and gain access to sensitive data.
2 October 2023
Cyber Security Week in Review: September 29, 2023

Cyber Security Week in Review: September 29, 2023

The world in brief: the MOVEit protocol maker releases fixes for new critical bugs, Cisco warns of a zero-day in IOS and IOS XE software, and more.
29 September 2023