APT36, often referred to as ‘Transparent Tribe,’ has been identified as deploying a trio of Android applications that simulate the appearance of YouTube. These are crafted to inject devices with their hallmark remote access trojan (RAT) named ‘CapraRAT.’
When the malware establishes itself on a target device, it possesses the capabilities to extract data, record both audio and video and gain entry to confidential communications, essentially functioning as a covert surveillance tool.
This group, aligned with Pakistani interests, has a reputation for leveraging compromised Android apps to target entities within the Indian defense and government sectors. Notably, they target those involved with matters concerning the Kashmir region and human rights activists within Pakistan. This latest digital assault was detected by SentinelLabs. Their advice to organizations and individuals associated with diplomatic and military operations in both India and Pakistan is to exercise caution, especially with YouTube Android apps found on non-official platforms.
A Counterfeit YouTube The deceptive APKs are circulated beyond Google Play, the standard store for Android apps. Consequently, victims are often manipulated into downloading and installing these apps.
These APKs made their appearance on VirusTotal between April and August 2023. Two of them bore the name ‘YouTube,’ while one was titled ‘Piya Sharma,’ seemingly affiliated with a channel possibly intended for romantic deception.
During the setup process, these malicious applications demand a slew of potentially dangerous permissions, which a user might unknowingly approve, assuming they’re prerequisites for a media application like YouTube. Although these rogue applications strive to mirror the genuine YouTube application, they more closely resemble a web browser. This is because they employ WebView within the app to access the service, and they lack many features found on the legitimate platform. Upon activation, CapraRAT can:
- Capture audio and video using device cameras and microphones.
- Retrieve the contents of SMS and MMS, as well as call logs.
- Send text messages and block incoming ones.
- Initiate phone calls.
- Capture screenshots.
- Alter critical system settings, including GPS and network configurations.
- Modify files stored in the device.
According to SentinelLabs, the versions of CapraRAT found in this recent operation have advanced beyond previously examined samples, indicating ongoing refinement.
In terms of identifying the source, the addresses of the C2 (command and control) servers with which CapraRAT interacts are embedded in the app’s configuration. These have been linked with prior operations by Transparent Tribe. Moreover, some IP addresses unearthed by SentinelLabs have associations with other RAT endeavors, although the connection between these operations remains ambiguous.
To sum up, Transparent Tribe persists in its cyber-intelligence efforts in India and Pakistan. Now, they camouflage their signature Android RAT as YouTube apps, underscoring their capacity for innovation and flexibility.
SentinelLabs points out that while the group’s lackluster operational security makes their actions and tools discernible, their relentless introduction of fresh apps grants them a mercurial advantage, always targeting new victims.