A known threat actor linked to Pakistan is using romance-based content lures to deliver Android-based spyware that mimics YouTube in order to hijack Android devices. In this way, malicious actors gain almost complete control over victims’ cell phones for cyberespionage and surveillance purposes.
Researchers at SentinelLabs have identified three Android application packages (APKs) linked to Transparent Tribe’s CapraRAT (a remote access Trojan), they revealed in a blog post published on September 18.
Two of the packages aim to trick users into downloading what they think is the legitimate YouTube app, and a third uses romance-based social engineering by contacting a YouTube channel owned by a character called “Piya Sharma”, who includes uploads of several short clips of a woman in various locations.
“These apps mimic the look and feel of YouTube, although they are less feature-rich than the legitimate native YouTube Android app,” Alex Delamotte, a security researcher at SentinelLabs, wrote in the post.
Transparent Tribe, also known as APT36 and Earth Karkaddan, is a Pakistani threat group active since 2013 that typically targets military and diplomatic personnel in India and Pakistan, with more recent campaigns targeting the Indian education sector. The group has also been active during the COVID-19 pandemic as part of a wave of attacks against remote workers.
Hiding in Malicious Android Apps
Transparent Tribe tends to use Android-based spyware in its attacks, although it also hides malicious payloads behind malicious Office documents. CapraRAT, discovered and named by TrendMicro early last year, is the group’s latest weapon of choice against Android users with a particularly identifiable structure: the malware is apparently an Android framework that hides RAT functionality in another application.
Transparent Tribe distributes malware-spreading Android apps outside of the Google Play Store, relying on self-managed websites and social engineering to convince users to install a weaponized app. As part of a campaign launched earlier this year, the group also distributed CapraRAT through Android apps disguised as a dating service, which became a common bait theme for spreading the malware.
“The group’s decision to create a YouTube-like app is a new addition to a known trend by the group of weaponizing Android apps with spyware and distributing them to targets via social media,” Delamotte wrote.
Transparent Tribe has used CapraRAT primarily against targets who have knowledge or information related to cases involving the disputed region of Kashmir, as well as human rights activists working on Pakistan-related issues, she added. .
CapraRAT does RAT things
Researchers identified and analyzed three YouTube-themed CapraRAT APKs: two disguised as YouTube itself that borrow the video-sharing service’s icon, and the third called Piya Sharma that uses the character’s image and likeness YouTube mentioned previously.
“This theme suggests that the actor continues to use romance-based social engineering techniques to convince his targets to install the apps, and that Piya Sharma is a similar character,” Delamotte wrote.
Once downloaded, the malicious app requests several permissions on the device, some of which make sense for YouTube, such as taking photos and videos and accessing the microphone. Other requested permissions, such as the ability to send, receive and read SMS messages, reflect CapraRAT’s bad intent.
Other features of CapraRAT on a compromised Android device include: searching for accounts on the device; access contact lists; and read, modify and/or delete the contents of a device’s SD card.
When the app is launched, it uses a WebView object to load the YouTube website in a different way than the native YouTube app for Android. In fact, it’s “more akin to viewing the YouTube page in a mobile web browser,” Delamotte wrote.
Android Spyware Defense Measures
SentinelLabs warns individuals and organizations linked to diplomatic, military or activist issues in India or Pakistan to be wary of attacks by Transparent Tribe, and in particular of YouTube impersonation as part of this campaign to attract the victims.
Android users should never install Android apps distributed outside the Google Play Store itself and also avoid downloading new social media apps advertised within social media communities.
In addition to these common-sense measures, users should also evaluate the permissions requested by an app they download, especially for new or previously unknown apps, to ensure they are not exposed to risks. . In addition, SentinelLabs advises them to never install a third-party version of an application already present on their device.
