Connect with us

Hi, what are you looking for?


Malware & Threats

Pakistani APT Uses YouTube-Mimicking RAT to Spy on Android Devices

New versions of Pakistan-linked APT Transparent Tribe’s CapraRAT Android trojan mimic the appearance of YouTube.

Pakistan-linked state-sponsored threat actor Transparent Tribe has been observed using new versions of the CapraRAT Android trojan that mimic the appearance of YouTube, SentinelOne reports.

Also tracked as APT36 and Mythic Leopard and active since at least 2016, the threat actor is known for the targeting of government and military personnel in India and Pakistan, and was recently seen targeting the Indian education sector as well.

The threat actor has been using CapraRAT since 2018, mainly for surveillance purposes, targeting individuals connected to matters involving the Kashmir region and human rights activists working on Pakistan-related issues.

Transparent Tribe is distributing its Android malware via malicious websites, relying on social engineering to convince the intended targets to install the trojanized applications.

Earlier this year, the threat actor was seen distributing CapraRAT iterations masquerading as a dating service app, most likely via a romance scam. The three recent CapraRAT samples that mimic YouTube appear to use the same scheme for distribution, SentinelOne says.

The samples borrow the YouTube icon and request permissions typically associated with the legitimate video sharing service, including microphone access. When executed, the malware launches a WebView object to load the YouTube website, so as not to raise suspicion.

Once installed on a victim’s device, the malware can make recordings using the microphone and cameras, collect messages and call logs, send and block messages, make phone calls, take screenshots, override system settings for GPS and network, and modify files.

“Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools. The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media,” SentinelOne notes.

Advertisement. Scroll to continue reading.

The cybersecurity firm warns all individuals associated with diplomatic, military, and activist matters related to India and Pakistan to be wary of potential targeting by Transparent Tribe.

Related: Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update

Related: Meta Disrupted Two Cyberespionage Operations in South Asia

Related: Threat Actor Targets Indian Government With Commercial RATs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.