CapraRAT Spyware Camouflaged as Popular Applications Puts Android Users at Risk
A cybercriminal group identified as Transparent Tribe has been persistently distributing Android applications containing spyware, as a part of their strategy to target specific individuals using social engineering techniques.
“These installation packages maintain the group’s pattern of integrating spyware into handpicked video browsing tools, with a recent development aiming at mobile game enthusiasts, firearm aficionados, and TikTok supporters,” noted SentinelOne cybersecurity researcher Alex Delamotte in a recent analysis conveyed to The Hacker News.
The operation, labeled as CapraTube, was initially described by the security firm in September 2023, where the hacker gang utilized weaponized Android apps posing as legitimate applications such as YouTube to deliver CapraRAT spyware, an adapted edition of AndroRAT with functionalities to procure a wide array of delicate information.
Transparent Tribe, assumed to have its roots in Pakistan, has exploited CapraRAT for more than two years to target the Indian government and military staff. The squad is known for favoring spear-phishing and watering hole tactics to deploy various forms of spyware tailored for both Windows and Android platforms.
“The operations discussed in this report indicate a continuation of this method with enhancements to the social engineering pretenses and endeavors to enhance the spyware’s compatibility with older versions of the Android system while broadening the range of targets to encompass the present-day versions of Android,” Delamotte elucidated.
The inventory of new malicious APK files pinpointed by SentinelOne includes –
- Crazy Game (com.maeps.crygms.tktols)
- Sexy Videos (com.nobra.crygms.tktols)
- TikToks (com.maeps.vdosa.tktols)
- Weapons (com.maeps.vdosa.tktols)
CapraRAT utilizes WebView to trigger a URL leading to either YouTube or a mobile gaming portal named CrazyGames[.]com, while surreptitiously manipulating its permissions to gain access to locations, SMS messages, contacts, call logs, initiate phone calls, capture screenshots, or record audio and video covertly.
A conspicuous alteration in the spyware is the omission of permissions like READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES, indicating a shift by threat actors to utilize it more as a surveillance tool than a conventional backdoor.
“The amendments to the CapraRAT code from the September 2023 offensive to the present campaign are marginal, but point towards a focus on enhancing the tool’s reliability and robustness,” affirmed Delamotte.
“The decision to migrate to newer versions of the Android OS is rational and probably conforms with the group’s persistent focus on individuals associated with the Indian government or military, who are unlikely to operate devices running outdated Android versions like Lollipop that debuted 8 years ago.”
This disclosure coincides with Promon unveiling a novel strain of Android banking malware dubbed Snowblind which, similar to FjordPhantom, endeavors to evade detection measures and exploit the operating system’s accessibility services API in a covert manner.
“Snowblind […] executes a standard repackaging assault but employs a lesser-known technique rooted in seccomp that has the capability to circumvent numerous anti-tampering mechanisms,” as per the company’s report.
“Notably, FjordPhantom and Snowblind aim at applications from Southeast Asia and leverage sophisticated new offensive strategies, indicating a significant adeptness among malware creators in that region.”
“The amendments to the CapraRAT code from the September 2023 offensive to the present campaign are marginal, but point towards a focus on enhancing the tool’s reliability and robustness,” affirmed Delamotte.
“The decision to migrate to newer versions of the Android OS is rational and probably conforms with the group’s persistent focus on individuals associated with the Indian government or military, who are unlikely to operate devices running outdated Android versions like Lollipop that debuted 8 years ago.”
This disclosure coincides with Promon unveiling a novel strain of Android malware dubbed Snowblind which, similar to FjordPhantom, endeavors to evade detection measures and exploit the operating system’s accessibility services API in a covert manner.
“Snowblind […] executes a standard repackaging assault but employs a lesser-known technique rooted in seccomp that has the capability to circumvent numerous anti-tampering mechanisms,” as per the company’s report.
“Notably, FjordPhantom and Snowblind aim at applications from Southeast Asia and leverage sophisticated new offensive strategies, indicating a significant adeptness among malware creators in that region.”
About Author
