Hacker group APT36, also known as Transparent Tribe, used at least three YouTube-mimicking Android apps to infect devices with the CapraRAT Remote Access Trojan (RAT). Once installed on the victim’s device, the malware can collect data, record audio and video, or access sensitive information and essentially act as a spyware tool.

APT36 is a Pakistani threat actor known for using malicious or augmented Android applications to attack Indian defense and government agencies, institutions dealing with the Kashmir region, and human rights activists in Pakistan.

This latest campaign was spotted by SentinelLabs, which warned individuals and organizations affiliated with the military or diplomacy in India and Pakistan to be very careful about YouTube for Android apps hosted on third-party sites. Since malicious APK files are distributed outside of Google Play, the official Android app store, victims are likely to engage in social engineering to download and install them.

APK files were uploaded to VirusTotal in April, July and August 2023; The files, two named “YouTube” and one named “Piya Sharma”, were linked to the channel of a character believed to be used in love-based tactics.

During installation, the malware program requests numerous risky permissions; Some of these are permissions that the victim may unsuspectingly accept from a media streaming app like YouTube.

The malware’s interface attempts to mimic the real Google YouTube app, but looks more like a web browser rather than a native app due to the use of WebView from a Trojan to download the service. It also lacks some features found on the real platform.

CapraRAT performs the following actions when launched on a device:

• Record using microphone, front and rear cameras
• Collection of content of SMS and multimedia messages, call logs
• Sending SMS, blocking incoming SMS
• Initiating phone calls
• Screenshot
• Override system settings such as GPS and network
• Replacing files in the phone’s file system

SentinelLabs reported that the CapraRAT variants detected during the latest campaign were an improvement over previously analyzed samples, indicating continued development. For attribution purposes, the C2 (command and control) server addresses that CapraRAT communicates with are hard-coded in the application’s configuration file and are associated with past Transparent Tribe actions.

Some IP addresses obtained by SentinelLabs have been linked to other RAT campaigns, but the exact connection between them and the attackers remains unclear. In summary, Transparent Tribe continues its cyberespionage activities in India and Pakistan using its proprietary Android RAT, which now masquerades as YouTube, demonstrating evolution and adaptability.

SentinelLabs notes that the threat group’s weak operational security makes its campaigns and tools easily detectable, but their constant release of new applications gives them an elusive advantage by constantly reaching new potential victims. Source