CapraRAT Surveillance Software Disguised as Popular Applications Puts Android Users at Risk
A cybercriminal group referred to as Transparent Tribe has been distributing spyware-infected Android applications in a scheme designed to exploit individuals with specific interests.
“These APKs extend the syndicate’s practice of inserting surveillance software into carefully curated video exploration apps, with a new focus on targeting mobile gaming enthusiasts, firearm hobbyists, and followers of TikTok,” detailed a recent report from SentinelOne cybersecurity expert Alex Delamotte, which was shared with The Hacker News.
The operation known as CapraTube was initially documented by the security firm in September 2023, where the hacker group used weaponized Android apps pretending to be authentic apps such as YouTube to deploy a spyware known as CapraRAT, a customized edition of AndroRAT designed to capture a broad range of sensitive information.
Having origins suspected to be in Pakistan, Transparent Tribe has employed CapraRAT for more than two years in operations directed at the Indian government and military personnel. Using spear-phishing and watering hole tactics, the group has been distributing various surveillance software for both Windows and Android platforms.
“The actions highlighted in this report reflect the continuation of this tactic with refinements to the social engineering ploys, coupled with endeavors to enhance the spyware’s compatibility not only with older versions of the Android operating system but also with newer editions,” Delamotte elaborated.
The list of recently discovered malicious APK files by SentinelOne includes –
- Crazy Game (com.maeps.crygms.tktols)
- Provocative Media (com.nobra.crygms.tktols)
- TikTok Viewer (com.maeps.vdosa.tktols)
- Weapon Resources (com.maeps.vdosa.tktols)
CapraRAT leverages WebView functionality to trigger a link to either YouTube or a mobile gaming portal named CrazyGames[.]com, while simultaneously exploiting its authorizations to access location data, text messages, contacts, call records, make phone calls, take screenshots, or even record audio and video clips.
An important update to the software involves the removal of permissions like READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES, indicating a shift in focus by the threat actors from backdoor capabilities to surveillance functionality.
“The alterations made to the CapraRAT code since the September 2023 campaign are minor but are indicative of the developers’ efforts to improve the tool’s reliability and robustness,” Delamotte remarked.
“The decision to adapt to more recent versions of the Android OS makes sense and aligns with the syndicate’s sustained interest in targeting individuals associated with the Indian government or military, who are less likely to utilize devices running older Android versions such as Lollipop which debuted 8 years ago.”
This revelation coincides with Promon unveiling a new form of Android banking malware dubbed Snowblind, which, in a manner reminiscent of FjordPhantom, aims to sidestep detection mechanisms by exploiting the operating system’s accessibility services API surreptitiously.
“Snowblind […] executes a standard repackaging assault but leverages an obscure technique rooted in seccomp that can evade numerous anti-tampering safeguards,” the company explained.
“Notably, FjordPhantom and Snowblind concentrate on apps from Southeast Asia, harnessing sophisticated new attack methodologies. This trend indicates a high level of sophistication among malware developers in that region.”
“The alterations made to the CapraRAT code since the September 2023 campaign are minor but are indicative of the developers’ efforts to improve the tool’s reliability and robustness,” Delamotte remarked.
“The decision to adapt to more recent versions of the Android OS makes sense and aligns with the syndicate’s sustained interest in targeting individuals associated with the Indian government or military, who are less likely to utilize devices running older Android versions such as Lollipop which debuted 8 years ago.”
This revelation coincides with Promon unveiling a new form of Android malware called Snowblind, which, in ways similar to FjordPhantom, endeavors to evade detection methods by exploiting the operating system’s accessibility services API discreetly.
“Snowblind […] executes a standard repackaging assault but leverages an obscure technique rooted in seccomp that can evade numerous anti-tampering safeguards,” the company explained.
“Notably, FjordPhantom and Snowblind concentrate on apps from Southeast Asia, harnessing sophisticated new attack methodologies. This trend indicates a high level of sophistication among malware developers in that region.”
About Author
