The suspected threat actor Transparent Tribe, also known as APT36, has been observed deploying malicious Android applications disguised as YouTube to propagate the CapraRAT mobile remote access trojan (RAT), showcasing the ongoing evolution of their activities.
According to a recent analysis by security researcher Alex Delamotte from SentinelOne, CapraRAT is a highly invasive tool that grants attackers control over a significant portion of data on infected Android devices.
Transparent Tribe focuses its intelligence-gathering efforts on Indian entities and employs a range of tools capable of infiltrating Windows, Linux, and Android systems.
Central to their toolkit is CapraRAT, previously distributed as trojanized secure messaging and calling apps under the names MeetsApp and MeetUp. These weaponized apps are distributed using social engineering tactics.
SentinelOne has recently discovered a new set of Android package (APK) files masquerading as YouTube, with one of the apps even connecting to a YouTube channel owned by “Piya Sharma.”
The naming of the app suggests that Transparent Tribe is utilizing romance-based phishing techniques to entice victims into installing these applications. The list of suspicious apps includes:
- com.Base.media.service
- com.moves.media.tubes
- com.videos.watchs.share
Once installed, these apps request intrusive permissions, enabling the malware to collect sensitive data and send it to a server controlled by the threat actor. CapraRAT is also capable of making phone calls, intercepting messages, and blocking incoming SMS messages.
“Transparent Tribe is a consistent threat actor with predictable patterns,” stated Delamotte. “Their lack of operational security makes it easier to identify their tools swiftly. Individuals and organizations involved in diplomatic, military, or activist activities in India and Pakistan should assess their defenses against this threat actor.”