Transparent Tribe Spreads CapraRAT Malware Through Fake YouTube Apps

Written by Gabby Lee

September 19, 2023

Transparent Tribe Spreads CapraRAT Malware Through Fake YouTube Apps

Transparent Tribe is employing a sophisticated tactic involving malicious Android applications designed to mimic the popular platform, YouTube.

This strategy aims to disseminate the CapraRAT mobile remote access trojan (RAT), showing the persistent evolution of their cyber activities. CapraRAT, a potent tool, bestows the attacker with extensive control over the data residing on infected Android devices.

Transparent Tribe, also recognized as APT36, has a well-established history of targeting Indian entities for intelligence gathering. Their toolkit boasts the ability to infiltrate Windows, Linux, and Android systems, and at its core lies the CapraRAT.

This malicious software has been propagated in the form of trojanized secure messaging and calling applications, adopting the names “MeetsApp” and “MeetUp.” The distribution mechanism leverages social engineering lures to trap unsuspecting victims.

In the latest discovery by SentinelOne, a set of Android package (APK) files is skilfully disguised as YouTube applications. One of these apps directly connects to a YouTube channel associated with “Piya Sharma.”

The app’s nomenclature, in this case, aligns with the adversary’s cunning employment of romance-based phishing techniques to entice potential targets.

To clarify, the list of these deceptive applications includes:

  • com.videos.watchs.share

Upon installation, these apps request intrusive permissions, effectively granting the malware access to a broad spectrum of sensitive data.

Subsequently, this stolen information is exfiltrated to a server under the control of the threat actor. Furthermore, CapraRAT exhibits additional functionality, allowing it to initiate phone calls and intercept, as well as block incoming SMS messages.

The relatively modest operational security measures employed by the group facilitate the rapid identification of their tools.

Related Articles

Stay Up to Date With The Latest News & Updates

Join Our Newsletter


Subscribe To Our Newsletter

Sign up to our weekly newsletter summarizing everything thats happened in data security, storage, and backup and disaster recovery

You have Successfully Subscribed!