Transparent Tribe Distributes CapraRAT Through Trojanized YouTube Apps

Transparent Tribe, the suspected Pakistan-linked threat actor, was observed using fake YouTube apps to infect victims’ devices with its remote access trojan (RAT), ‘CapraRAT.’

The group, also known as APT36 is known for using malware-laced tools to target government and defense personnel in India, human rights activists in Pakistan, and those involved in the disputed region of Kashmir.

The trojanized applications, which was first discovered by SentinelLabs, acts as a cyber espionage tool. It can extract and modify files and data, record audios and videos, capture screenshots, send and block incoming SMS messages, override system settings, and initiate phone calls.

These Android apps are distributed outside of the Google Play Store, so it can be deduced that social engineering tactics are employed to lure the victims into downloading and installing the apps. ‘’Earlier in 2023, the group distributed CapraRAT Android apps disguised as a dating service that conducted spyware activity,’’ SentinelLabs revealed.

The latest Android package (APKs) identified contained two apps called ‘YouTube’ and one ‘Piya Sharma.’ The dubious app associated with its namesake suggests, ‘’that the actor continues to use romance-based social engineering techniques to convince targets to install the applications.”

Once installed, these apps request several intrusive permissions to extract sensitive information related to the victim, which is then transferred to an actor controlled C2 (command and control) server. Permissions like, microphone or location access are treated as non-suspicious by the victims.

SentinelLabs reports that the user experience of these apps is different from the native YouTube app available on the official Android Play Store. For a user it’s more like viewing YouTube in a mobile web browser. The reason being the use of WebView object within the trojanized app to launch the website.

In conclusion, SentinelLabs findings reveal that the threat actor will continue with its cyber espionage activities within these countries with new and adaptable malware tools. ‘’The group’s decision to make a YouTube-like app is a new addition to a known trend of the group [..]. Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat.’’