The suspected Pakistani group Transparent Tribe is known for targeting the military, diplomats, and now the Indian education sector.
While outside the Play Store, they distribute weaponized Android apps via self-run sites and social engineering tactics.
The cybersecurity researchers at Sentinel Labs recently reported that the threat actors behind this group are actively exploiting the CapraRAT Android malware to hijack Android devices by mimicking the YouTube app.
The organization has been employing the malware CapraRAT, which hides RAT functionalities within programs, since 2018. Threat actors utilized it to monitor Pakistani human rights activists and Kashmir-related issues.
Malware Hijack Android Phones
However, besides this, the group disguised CapraRAT as a dating app for several illicit and spyware activities in early 2023.
An APK connects to a YouTube channel owned by Piya Sharma, borrowing her name and likeness, indicating the group’s continued use of romance-based social engineering.
CapraRAT offers data harvesting and exfiltration capabilities with the following notable features:-
- Recording with the microphone
- Recording with the front camera
- Recording with the rear camera
- Collecting SMS
- Collecting multimedia message contents
- Collecting call logs
- Sending SMS messages
- Blocking incoming SMS
- Initiating phone calls
- Taking screen captures
- Overriding system settings
- On the phone’s filesystem, modifying files
Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.
CapraRAT Mimicking YouTube App
CapraRAT, initially dubbed by Trend Micro, was found to bear hints of AndroRAT in its Android APK distribution.
Researchers identified several YouTube-themed CapraRAT APKs and analyzed three samples among them. Here below we have mentioned them:-
- 8beab9e454b5283e892aeca6bca9afb608fa8718 – yt.apk
- 83412f9d757937f2719ebd7e5f509956ab43c3ce – YouTube_052647.apk
- 14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma.apk
On launch, CapraRAT’s MainActivity loads YouTube in a WebView, offering a distinct user experience compared to the native Android app.
CapraRAT exhibits varying file structures in different apps since it’s a versatile Android framework. The following files were found when the security analysts analyzed all three CapraRAT APKs:-
- Name: yt.apk
- Configuration: com/media/gallery/service/settings
- Version: MSK-2023
- Main: com/media/gallery/service/MainActivity
- Malicious Activity: com/media/gallery/service/TPSClient
- Name: YouTube_052647.apk
- Configuration: com/Base/media/service/setting
- Version: A.F.U.3
- Main: com/Base/media/service/MainActivity
- Malicious Activity: com/Base/media/service/TCHPClient
- Name: Piya Sharma.apk
- Configuration: com/videos/watchs/share/setting
- Version: V.U.H.3
- Main: com/videos/watchs/share/MainActivity
- Malicious Activity: com/videos/watchs/share/TCPClient
MainActivity drives core features, enabling persistence via Autostarter in the onCreate method. It initializes mTCPService as TPSClient and schedules an alarm to run every minute.
The RAT’s key activity, TPSClient, resembles Extra_Class, which contains over 10,000 lines of Smali code. TPSClient handles CapraRAT commands through a run method, with switch statements linking commands to methods.
The notable changes include the hideApp method’s behavior based on the Android version and config settings, possibly due to OS changes post-Android 9.
CapraRAT’s config file stores the C2 server as SERVERIP and port values in hexadecimal Big Endian format, converting to port 14862, 18892, and 10284 for specific APKs.
Defensive & Preventative Measures
Here below, we have mentioned all the recommended security measures:-
- Make sure to stick to Google Play for Safe Android Apps.
- Always beware of the new social apps in your feed that are advertised within social media networks.
- Always remain vigilant while giving permissions to apps.
- Avoid installing third-party app duplicates on your device.
- Do not allow any critical permissions to any unfamiliar apps.