Android Users at Risk from Spyware Hidden in Popular Apps

The hacker group Transparent Tribe continues its campaign of distributing malware-laden Android apps through social engineering tactics, aiming to infiltrate the devices of targeted individuals.

According to a new report, these APKs represent the group’s ongoing strategy of embedding spyware into video browsing applications. Recently, they’ve expanded their focus to include mobile gamers, weapons enthusiasts, and TikTok fans.

The campaign, named CapraTube, was initially identified by SentinelOne in September 2023. The hackers deploy weaponized Android apps masquerading as legitimate ones, such as YouTube, to deliver a spyware known as CapraRAT. This spyware, a modified version of AndroRAT, can capture a vast array of sensitive data.

Transparent Tribe, believed to originate from Pakistan, has utilized CapraRAT for over two years in attacks targeting Indian government and military personnel. Their tactics often include spear-phishing and watering hole attacks, distributing spyware for both Windows and Android platforms.

“This report highlights the continuation of these techniques with updated social engineering tactics and efforts to enhance the spyware’s compatibility with older and newer versions of the Android OS,” explained the researcher.

Several new malicious APK files:

– Crazy Game (com.maeps.crygms.tktols)
– Sexy Videos (com.nobra.crygms.tktols)
– TikToks (com.maeps.vdosa.tktols)
– Weapons (com.maeps.vdosa.tktols)

CapraRAT uses WebView to launch URLs to sites like YouTube or CrazyGames[.]com, while secretly abusing permissions to access locations, SMS messages, contacts, and call logs, make phone calls, take screenshots, and record audio and video.

Notably, the malware no longer requests certain permissions such as READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES. This suggests that the attackers aim to use it more as a surveillance tool rather than a backdoor.

“The updates to the CapraRAT code between the September 2023 campaign and the current one are minimal but indicate a focus on improving the tool’s reliability and stability,” the researcher added.

“The move to support newer Android OS versions is logical, aligning with the group’s ongoing targeting of individuals in the Indian government or military, who are less likely to use older Android versions like Lollipop, which was released eight years ago.”

This disclosure comes alongside a revelation by Promon about a new type of Android banking malware called Snowblind. Similar to FjordPhantom, Snowblind attempts to evade detection and exploit the OS’s accessibility services API in a covert manner. Using the seccomp functionality to intercept and manipulate system calls, it not only bypasses security checks but also steals credentials, exports data, and disables features like two-factor authentication (2FA) or biometric verification.

To protect against CapraRAT spyware, Android users should download apps only from trusted sources such as the Google Play Store and be wary of apps requesting excessive permissions. Keeping the Android operating system and all installed apps up to date with the latest security patches is crucial. Additionally, users should employ mobile security solutions that offer real-time protection and regularly scan their devices for malware.