Pakistan-linked state-sponsored threat actor Transparent Tribe has been observed using new versions of the CapraRAT Android trojan that mimic the appearance of YouTube, SentinelOne reports.
Also tracked as APT36 and Mythic Leopard and active since at least 2016, the threat actor is known for the targeting of government and military personnel in India and Pakistan, and was recently seen targeting the Indian education sector as well.
The threat actor has been using CapraRAT since 2018, mainly for surveillance purposes, targeting individuals connected to matters involving the Kashmir region and human rights activists working on Pakistan-related issues.
Transparent Tribe is distributing its Android malware via malicious websites, relying on social engineering to convince the intended targets to install the trojanized applications.
Earlier this year, the threat actor was seen distributing CapraRAT iterations masquerading as a dating service app, most likely via a romance scam. The three recent CapraRAT samples that mimic YouTube appear to use the same scheme for distribution, SentinelOne says.
The samples borrow the YouTube icon and request permissions typically associated with the legitimate video sharing service, including microphone access. When executed, the malware launches a WebView object to load the YouTube website, so as not to raise suspicion.
Once installed on a victim’s device, the malware can make recordings using the microphone and cameras, collect messages and call logs, send and block messages, make phone calls, take screenshots, override system settings for GPS and network, and modify files.
“Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools. The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media,” SentinelOne notes.
The cybersecurity firm warns all individuals associated with diplomatic, military, and activist matters related to India and Pakistan to be wary of potential targeting by Transparent Tribe.
Related: Android App With 50,000 Downloads in Google Play Turned Into Spyware via Update
Related: Meta Disrupted Two Cyberespionage Operations in South Asia
Related: Threat Actor Targets Indian Government With Commercial RATs
