The New Wave of Cyber Espionage Hidden in Fake YouTube Apps

Reading Time: ( Word Count: )

September 19, 2023

APT36, often referred to as ‘Transparent Tribe,’ has been identified as deploying a trio of Android applications that simulate the appearance of YouTube. These are crafted to inject devices with their hallmark remote access trojan (RAT) named ‘CapraRAT.’

When the malware establishes itself on a target device, it possesses the capabilities to extract data, record both audio and video and gain entry to confidential communications, essentially functioning as a covert surveillance tool.

This group, aligned with Pakistani interests, has a reputation for leveraging compromised Android apps to target entities within the Indian defense and government sectors. Notably, they target those involved with matters concerning the Kashmir region and human rights activists within Pakistan. This latest digital assault was detected by SentinelLabs. Their advice to organizations and individuals associated with diplomatic and military operations in both India and Pakistan is to exercise caution, especially with YouTube Android apps found on non-official platforms.

A Counterfeit YouTube The deceptive APKs are circulated beyond Google Play, the standard store for Android apps. Consequently, victims are often manipulated into downloading and installing these apps.

These APKs made their appearance on VirusTotal between April and August 2023. Two of them bore the name ‘YouTube,’ while one was titled ‘Piya Sharma,’ seemingly affiliated with a channel possibly intended for romantic deception.

Also Read: TikTok Overwhelmed with ‘Elon Musk’ Cryptocurrency Giveaway Frauds

The New Wave of Cyber Espionage Hidden in Fake YouTube Apps

During the setup process, these malicious applications demand a slew of potentially dangerous permissions, which a user might unknowingly approve, assuming they’re prerequisites for a media application like YouTube. Although these rogue applications strive to mirror the genuine YouTube application, they more closely resemble a web browser. This is because they employ WebView within the app to access the service, and they lack many features found on the legitimate platform. Upon activation, CapraRAT can:

  • Capture audio and video using device cameras and microphones.
  • Retrieve the contents of SMS and MMS, as well as call logs.
  • Send text messages and block incoming ones.
  • Initiate phone calls.
  • Capture screenshots.
  • Alter critical system settings, including GPS and network configurations.
  • Modify files stored in the device.

According to SentinelLabs, the versions of CapraRAT found in this recent operation have advanced beyond previously examined samples, indicating ongoing refinement.

In terms of identifying the source, the addresses of the C2 (command and control) servers with which CapraRAT interacts are embedded in the app’s configuration. These have been linked with prior operations by Transparent Tribe. Moreover, some IP addresses unearthed by SentinelLabs have associations with other RAT endeavors, although the connection between these operations remains ambiguous.

To sum up, Transparent Tribe persists in its cyber-intelligence efforts in India and Pakistan. Now, they camouflage their signature Android RAT as YouTube apps, underscoring their capacity for innovation and flexibility.

SentinelLabs points out that while the group’s lackluster operational security makes their actions and tools discernible, their relentless introduction of fresh apps grants them a mercurial advantage, always targeting new victims.

Saher Mahmood

Saher Mahmood


Saher is a cybersecurity researcher with a passion for innovative technology and AI. She explores the intersection of AI and cybersecurity to stay ahead of evolving threats.

Other interesting articles

Automated vs Manual Penetration Testing

Automated vs Manual Penetration Testing

Pentesting is largely divided into two methodologies: Automated vs Manual Penetration Testing. Both have ...
8 Steps in Penetration Testing You Should Know

8 Steps in Penetration Testing You Should Know

Mastering the art of penetration testing has become a critical ability for security experts to combat cyber ...
Spear Phishing vs Whaling: What is the Difference

Spear Phishing vs Whaling: What is the Difference

Spear phishing is a particularly devious type of phishing assault in which the individual targeted plays a ...
How Often Should Penetration Testing Be Done

How Often Should Penetration Testing Be Done

Penetration testing is a crucial technique that involves simulating a cyberattack on networks, computer systems, ...

Submit a Comment

Your email address will not be published. Required fields are marked *