The APT36 hacking group, also known as ‘Transparent Tribe,’ has been discovered using malicious Android apps that imitate YouTube to infect their targets’ devices with the mobile remote access trojan (RAT) called ‘CapraRAT’.
For those unaware, APT36 (or Transparent Tribe) is a suspected Pakistan-linked hacking group primarily known for using malicious Android apps to attack Indian defense and government agencies, organizations involved with the Kashmir region, as well as human rights activists working on matters related to Pakistan.
SentinelLabs, a cybersecurity company, was able to identify three Android application packages (APK) linked to Transparent Tribe’s CapraRAT, which mimicked the appearance of YouTube.
“CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects,” SentinelLabs security researcher Alex Delamotte wrote in an analysis on Monday.
According to the researchers, the malicious APKs are not distributed through Android’s Google Play Store, which means the victims are most likely socially engineered to download and install the app from a third-party source.
Analysis of the three APKs revealed that they contained the CapraRAT trojan and were uploaded to VirusTotal in April, July, and August 2023. Two of the CapraRAT APKs were named ‘YouTube’, and one was named ‘Piya Sharma’, associated with a channel potentially used for romance-based social engineering techniques to convince targets to install the applications.
The list of apps is as follows:
- Base.media.service
- moves.media.tubes
- videos.watchs.share
During installation, apps ask for a number of risky permissions, some of which might initially appear harmless for the victim for a media streaming app like YouTube and treat it without suspicion.
The interface of the malicious apps attempts to imitate Google’s real YouTube app but appears more like a web browser than an app due to the use of WebView from within the trojanized app to load the service. They also lacked certain features and functions available in the legitimate native Android YouTube app.
Once CapraRAT is installed on the victim’s device, it can perform various actions such as recording with the microphone, front and rear cameras, collecting SMS and multimedia message contents and call logs, sending SMS messages, blocking incoming SMS, initiating phone calls, taking screen captures, overriding system settings such as GPS & Network, and modifying files on the phone’s filesystem.
According to SentinelLabs, the recent CapraRAT variants found during the current campaign indicate continuous development of the malware by Transparent Tribe.
Regarding attribution, the IP addresses of the command and control (C2) servers that CapraRAT communicates with are hardcoded in the app’s configuration file and have been linked with past activities of the hacking group.
However, some IP addresses were linked to other RAT campaigns, although the exact relationship between these threat actors and Transparent Tribe remains unclear.
“Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools.
Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat,” Delamotte concluded.
