CapraRAT Impersonates YouTube to Hijack Android Devices

  /     /     /  
Publicated : 23/11/2024   Category : security


CapraRAT Impersonates YouTube to Hijack Android Devices


Pakistani threat group Transparent Tribe targets military and diplomatic personnel in India and Pakistan with romance-themed lures in the latest spyware campaign.



A known Pakistan-linked threat actor is dangling romance-based content lures to spread
Android-based spyware
that mimics YouTube to hijack Android devices. In this way, threat actors gain almost total control over victims mobile phones for cyber-espionage and surveillance activity.
Researchers from SentinelLabs have identified three Android application packages (APKs) linked to CapraRAT (a remote access Trojan) from Transparent Tribe, they revealed
in a blog post
published Sept. 18.
Two of the packages aim to trick users into downloading what they think is the legitimate YouTube app, and a third uses romance-based social engineering by reaching out to a YouTube channel belonging to a persona called Piya Sharma, which includes uploads of several short clips of a woman in various locations.
These apps mimic the appearance of YouTube, though they are less fully featured than the legitimate native Android YouTube application, SentinelLabs security researcher Alex Delamotte wrote in the post.
Transparent Tribe, also known as
APT36
and Earth Karkaddan, is a Pakistani threat group thats been active since 2013 and typically targets military and diplomatic personnel in both India and Pakistan, with more recent campaigns targeting Indias education sector. The group also was active during COVID-19 as part of a wave of attacks against remote workers.
Transparent Tribe tends to use Android-based spyware
in attacks, though its also hidden malicious payloads behind
malicious Office documents
. CapraRAT, discovered and
named by TrendMicro
early last year, is the groups latest weapon of choice against Android users with a notably identifiable structure — the malware is ostensibly an Android framework that hides RAT features inside of another application.
Transparent Tribe distributes Android apps delivering malware outside of the Google Play Store, relying on self-run websites and social engineering to convince users to install a weaponized application. In a campaign earlier this year, the group also
distributed CapraRAT
via Android apps disguised as a dating service, which has become a common lure theme for delivering the malware.
The groups decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media, Delamotte wrote.
Transparent Tribe has wielded CapraRAT mainly against targets who have insight or information related to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan, she added.
The researchers identified and analyzed three YouTube-themed CapraRAT APKs — two disguised as YouTube itself that borrow the video-sharing services icon, and the third called Piya Sharma that uses the previously mentioned YouTube personas image and likeness.
This theme suggests that the actor continues to use romance-based social engineering techniques to convince targets to install the applications, and that Piya Sharma is a related persona, Delamotte wrote.
Once downloaded, the malicious app requests several device permissions, some that make sense for YouTube — such as taking photos and videos, and gaining microphone access. Other requested permissions — such as the ability to send, receive, and read SMS messages — reflect
CapraRATs bad intent.
Other capabilities of CapraRAT on a compromised Android device include: finding accounts on the device; accessing contact lists; and reading, modifying, and/or deleting contents of a devices SD card.
When the app is launched, it uses a WebView object to load YouTubes website in a way thats different than the native YouTube app for Android. In fact, its more akin to viewing the YouTube page in a mobile web browser, Delamotte wrote.
SentinelLabs is warning individuals and organizations connected to diplomatic, military, or activist matters in India or Pakistan to be wary of attacks by Transparent Tribe, and this campaign in particulars impersonation of YouTube to lure victims.
Android users should never install
Android applications
distributed outside of the Google Play store itself and also avoid downloading new social media applications advertised within social media communities.
In addition to those commonsense measures, people also should evaluate the permissions requested by an application that they download, particularly for new or previously unfamiliar apps, to ensure they are not being exposed to risk. Further, SentinelLabs advises they should never install a third-party version of an application thats already present on their device.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CapraRAT Impersonates YouTube to Hijack Android Devices