Transparent Tribe is employing a sophisticated tactic involving malicious Android applications designed to mimic the popular platform, YouTube.
This strategy aims to disseminate the CapraRAT mobile remote access trojan (RAT), showing the persistent evolution of their cyber activities. CapraRAT, a potent tool, bestows the attacker with extensive control over the data residing on infected Android devices.
Transparent Tribe, also recognized as APT36, has a well-established history of targeting Indian entities for intelligence gathering. Their toolkit boasts the ability to infiltrate Windows, Linux, and Android systems, and at its core lies the CapraRAT.
This malicious software has been propagated in the form of trojanized secure messaging and calling applications, adopting the names “MeetsApp” and “MeetUp.” The distribution mechanism leverages social engineering lures to trap unsuspecting victims.
In the latest discovery by SentinelOne, a set of Android package (APK) files is skilfully disguised as YouTube applications. One of these apps directly connects to a YouTube channel associated with “Piya Sharma.”
The app’s nomenclature, in this case, aligns with the adversary’s cunning employment of romance-based phishing techniques to entice potential targets.
To clarify, the list of these deceptive applications includes:
- com.Base.media.service
- com.moves.media.tubes
- com.videos.watchs.share
Upon installation, these apps request intrusive permissions, effectively granting the malware access to a broad spectrum of sensitive data.
Subsequently, this stolen information is exfiltrated to a server under the control of the threat actor. Furthermore, CapraRAT exhibits additional functionality, allowing it to initiate phone calls and intercept, as well as block incoming SMS messages.
The relatively modest operational security measures employed by the group facilitate the rapid identification of their tools.
