Hacking group APT36, aka “Transparent Tribe,” has been observed using at least three Android apps that mimic YouTube to infect devices with their remote access trojan (RAT), “CapraRAT.”
Once the malware is installed on a victim’s device, it can harvest data, record audio and video, or access sensitive communications information, essentially functioning as a spyware tool.
APT36 is a Pakistan-aligned threat actor known to use malicious or malicious Android applications to attack Indian defense and government entities, those handling the affairs of the Kashmir region, and human rights activists in Pakistan.
This latest campaign was spotted by SentinelLabs, which warns people and organizations linked to the military or diplomacy in India and Pakistan to be wary of YouTube Android apps hosted on third-party sites.
YouTube impersonation
Malicious APKs are distributed outside of Google Play, Android’s official app store, so victims are most likely socially engineered to download and install them.
The APKs were uploaded to VirusTotal in April, July, and August 2023, with two of them called “YouTube” and one “Piya Sharma” associated with a character’s channel likely used in romance-based tactics.
During installation, malicious apps ask for many risky permissions, some of which the victim can unsuspectingly handle for a media streaming app like YouTube.
The malicious apps’ interface attempts to mimic Google’s real YouTube app, but it looks like a web browser rather than the native app due to using WebView from within the Trojan app to load the service. Additionally, it is missing several features available on the current platform.
Once CapraRAT is operational on the device, it performs the following actions:
- Recording with microphone, front and rear cameras
- Collection of SMS and multimedia message content, call logs
- Sending SMS messages, blocking incoming SMS
- Make phone calls
- Take screenshots
- Replacing system settings such as GPS and network
- Editing files on the phone’s file system
SentinelLabs reports that CapraRAT variants spotted during the recent campaign show improvements over previously analyzed samples, indicating continued development.
Regarding attribution, the C2 (command and control) server addresses that CapraRAT communicates with are hard-coded into the application configuration file and have been associated with past Transparent Tribe activities.
Some IP addresses collected by SentinelLabs are linked to other RAT campaigns, although the exact relationship between the threat actors and these remains unclear.
In conclusion, Transparent Tribe continues its cyberespionage activities in India and Pakistan, using its signature Android RAT, now disguised as YouTube, demonstrating evolution and adaptability.
SentinelLabs observes that although the malicious group’s weak operational security makes its campaigns and tools easily identifiable, the continued deployment of new applications gives them an elusive advantage, systematically reaching new potential victims.
