A threat actor group known as Transparent Tribe continues to distribute Android applications laced with malware as part of a social engineering strategy aimed at specific individuals.
According to SentinelOne security researcher Alex Delamotte, the group’s latest APKs embed spyware into seemingly innocuous video browsing apps, expanding their targets to include mobile gamers, weapon enthusiasts, and TikTok users.
Initially identified in September 2023, the campaign, dubbed CapraTube, features weaponized Android apps masquerading as legitimate services like YouTube, delivering a modified version of AndroRAT known as CapraRAT. This spyware is capable of extracting sensitive data across a variety of Android devices.
Transparent Tribe, believed to operate out of Pakistan, has employed CapraRAT for over two years in targeted attacks against Indian governmental and military personnel. Their tactics include spear-phishing and watering hole attacks, deploying both Windows and Android spyware.
“The latest activities indicate ongoing refinements in social engineering tactics and efforts to enhance CapraRAT’s compatibility with older and newer versions of Android,” noted Delamotte.
SentinelOne identified several new malicious APK files, including:
- Crazy Game (com.maeps.crygms.tktols)
- Sexy Videos (com.nobra.crygms.tktols)
- TikToks (com.maeps.vdosa.tktols)
- Weapons (com.maeps.vdosa.tktols)
CapraRAT exploits WebView to redirect users to legitimate sites such as YouTube or the gaming platform CrazyGames[.]com, while covertly accessing sensitive information such as location data, SMS messages, contacts, call logs, and media files.
A significant update to the malware involves omitting permissions like READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES, indicating a shift towards surveillance rather than traditional backdoor access.
“The recent updates to CapraRAT’s code focus on stability and reliability,” Delamotte explained. “Their decision to target newer Android OS versions reflects a strategic alignment with their targets in the Indian government and military sectors, who typically use more updated devices.”
This disclosure coincides with Promon’s discovery of a new Android banking malware called Snowblind, which employs advanced techniques akin to FjordPhantom to evade detection and exploit accessibility services APIs covertly.
“Snowblind utilizes a sophisticated technique based on seccomp to bypass anti-tampering measures, demonstrating a growing sophistication among malware authors, particularly in Southeast Asia,” Promon stated.
In summary, CapraRAT poses a significant threat to Android users, highlighting the evolving tactics of threat actors like Transparent Tribe in targeting specific user groups with sophisticated spyware campaigns.