Connect with us

Hi, what are you looking for?


Malware & Threats

Pakistani APT Uses YouTube-Mimicking RAT to Spy on Android Devices

New versions of Pakistan-linked APT Transparent Tribe’s CapraRAT Android trojan mimic the appearance of YouTube.

Pakistan-linked state-sponsored threat actor Transparent Tribe has been observed using new versions of the CapraRAT Android trojan that mimic the appearance of YouTube, SentinelOne reports.

Also tracked as APT36 and Mythic Leopard and active since at least 2016, the threat actor is known for the targeting of government and military personnel in India and Pakistan, and was recently seen targeting the Indian education sector as well.

The threat actor has been using CapraRAT since 2018, mainly for surveillance purposes, targeting individuals connected to matters involving the Kashmir region and human rights activists working on Pakistan-related issues.

Transparent Tribe is distributing its Android malware via malicious websites, relying on social engineering to convince the intended targets to install the trojanized applications.

Earlier this year, the threat actor was seen distributing CapraRAT iterations masquerading as a dating service app, most likely via a romance scam. The three recent CapraRAT samples that mimic YouTube appear to use the same scheme for distribution, SentinelOne says.

The samples borrow the YouTube icon and request permissions typically associated with the legitimate video sharing service, including microphone access. When executed, the malware launches a WebView object to load the YouTube website, so as not to raise suspicion.

Once installed on a victim’s device, the malware can make recordings using the microphone and cameras, collect messages and call logs, send and block messages, make phone calls, take screenshots, override system settings for GPS and network, and modify files.

Advertisement. Scroll to continue reading.

“Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools. The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media,” SentinelOne notes.

The cybersecurity firm warns all individuals associated with diplomatic, military, and activist matters related to India and Pakistan to be wary of potential targeting by Transparent Tribe.

Related: Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update

Related: Meta Disrupted Two Cyberespionage Operations in South Asia

Related: Threat Actor Targets Indian Government With Commercial RATs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...