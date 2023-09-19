CapraTube - Transparent Tribe’s CapraRAT mimics YouTube to hijack Android phones

September 2023 by SentinelOne

The toolset has been used for surveillance against spear-phishing targets privy to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.

Transparent Tribe distributes Android apps outside of the Google Play Store, relying on self-run websites and social engineering to entice users to install a weaponised application. Earlier in 2023, the group distributed CapraRAT Android apps disguised as a dating service that conducted spyware activity.

One of the newly identified APKs reaches out to a YouTube channel belonging to Piya Sharma, which has several short clips of a woman in various locales. This APK also borrows the individual’s name and likeness. This theme suggests that the actor continues to use romance-based social engineering techniques to convince targets to install the applications and that Piya Sharma is a related persona.

CapraRAT is a comprehensive RAT that provides the actors with the ability to harvest data on demand and exfiltrate it. Notable features include:

Recording with the microphone, front & rear cameras

Collecting SMS and multimedia message contents, call logs

Sending SMS messages, blocking incoming SMS

Initiating phone calls

Taking screen captures

Overriding system settings such as GPS & Network

Modifying files on the phone’s filesystem

Key points

SentinelLabs identified three Android application packages (APK) linked to Transparent Tribe’s CapraRAT mobile remote access trojan (RAT).

These apps mimic the appearance of YouTube, though they are less fully featured than the legitimate native Android YouTube application.

CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects.

Conclusion

Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools.

The group’s decision to make a YouTube-like app is a new addition to a known trend of the group weaponising Android applications with spyware and distributing them to targets through social media.

Individuals and organisations connected to diplomatic, military, or activist matters in the Indian and Pakistan regions should evaluate defence against this actor and threat.

Defensive and preventative measures should include:

Do not install Android applications outside of the Google Play store.

Be wary of new social media applications advertised within social media communities.

Evaluate the permissions requested by an application, particularly an application you are not particularly familiar with. Do these permissions expose you to more risk than the potential benefit of the app?

Do not install a third-party version of an application already on your device.