A well-known threat actor linked to Pakistan is using romance-based content lures to spread Android-based spyware disguised as the YouTube app, allowing them to take control of victims’ mobile devices. SentinelLabs, a group of researchers, recently discovered three Android application packages (APKs) associated with CapraRAT, a remote access Trojan used by a threat group known as Transparent Tribe. The researchers revealed their findings in a blog post published on September 18.
Two of the APKs aim to trick users into downloading what they believe to be the legitimate YouTube app. The other uses a romance-based social engineering technique wherein the threat actor reaches out to a YouTube channel owned by a persona named “Piya Sharma.” The channel features several short clips of a woman in different locations. The malicious apps mimic the appearance of YouTube but are less feature-rich than the actual app, according to Alex Delamotte, a security researcher at SentinelLabs.
Transparent Tribe, also known as APT36 and Earth Karkaddan, is a Pakistani threat group that has been active since 2013. It typically targets military and diplomatic personnel in both India and Pakistan, with more recent campaigns focusing on India’s education sector. The group was also active during the COVID-19 pandemic as part of a wave of attacks against remote workers.
Transparent Tribe primarily uses Android-based spyware in its attacks and has previously hidden malicious payloads behind Office documents. CapraRAT, which was discovered and named by TrendMicro early last year, is the group’s latest weapon of choice against Android users. The malware appears as an Android framework but hides remote access Trojan features inside another application.
To distribute the malware, Transparent Tribe relies on self-run websites and social engineering techniques to convince users to install weaponized applications. In a campaign earlier this year, the group distributed CapraRAT through Android apps disguised as a dating service, which has become a common technique for delivering the malware.
Delamotte noted that the decision to create a YouTube-like app is a new addition to Transparent Tribe’s trend of weaponizing Android applications with spyware and distributing them via social media. The group mainly targets individuals with insight or information related to the disputed region of Kashmir and human rights activists focused on Pakistan.
Once the malicious app is downloaded, it requests various device permissions, some of which are legitimate for a YouTube app. However, other permissions, such as the ability to send, receive, and read SMS messages, reveal CapraRAT’s malicious intent. The malware can also access contact lists, SD cards, and modify or delete contents on the compromised device.
When launched, the app uses a WebView object to load YouTube’s website, but in a way that differs from the native YouTube app on Android. It is more like viewing the YouTube page in a mobile web browser, according to Delamotte.
SentinelLabs warns individuals and organizations involved in diplomatic, military, or activist matters in India or Pakistan to be cautious of Transparent Tribe’s attacks, especially this campaign impersonating YouTube. The researchers advise Android users to avoid installing applications distributed outside the Google Play Store and to be skeptical of new social media apps advertised within social media communities. Furthermore, users should carefully evaluate the permissions requested by any downloaded application, particularly for unfamiliar apps, to mitigate the risk. They also urge users not to install third-party versions of apps that are already present on their devices.