A threat actor known as Transparent Tribe continues to distribute malware-laden Android apps as part of a social engineering campaign targeting interested individuals.
“These APKs continue the group’s trend of embedding spyware into select video viewing applications, with new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans,” SentinelOne security researcher Alex Delamotte said in a new report shared with The Hacker News.
The attack, dubbed CapraTube, was first outlined by the cybersecurity firm in September 2023. The hacker group used weaponized Android apps disguised as legitimate apps such as YouTube to deliver spyware called CapraRAT, a modified version of AndroRAT with the ability to obtain a wide range of sensitive data.
Suspected to be of Pakistani origin, Transparent Tribe has been using CapraRAT to target Indian government and military personnel for over two years. The group has a history of using spear phishing and waterholing attacks to distribute a variety of Windows and Android spyware.
“The activity highlighted in this report indicates a continuation of this technique with updated social engineering pretenses, as well as an effort to maximize the compatibility of the spyware with older versions of the Android operating system while expanding its attack surface to the latest versions of Android,” Delamotte explained.
The list of new malicious APK files identified by SentinelOne is as follows:
- Crazy Games (com.maeps.crygms.tktols)
- Sexy Video (com.nobra.crygms.tktols)
- TikTok (com.maeps.vdosa.tktols)
- Weapons (com.maeps.vdosa.tktols)
CapraRAT uses a WebView to launch URLs to YouTube or a mobile gaming site called CrazyGames(.)com, and in the background it abuses permissions to access location, SMS messages, contacts, call history, make phone calls, take screenshots, and record audio and video.
A notable change to this malware is that it no longer requests permissions such as READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, or REQUEST_INSTALL_PACKAGES, suggesting that the threat actors intend to use this as a surveillance tool rather than a backdoor.
“While updates made to the CapraRAT code between the September 2023 campaign and the current campaign are minimal, they suggest the developers are focusing on making the tool more reliable and stable,” Delamotte said.
“The decision to move to a newer version of the Android OS is logical and likely consistent with the group’s ongoing targeting of individuals in the Indian government and military sectors who are unlikely to use devices running older versions of Android, such as Lollipop, which was released eight years ago.”
The revelation comes in the wake of Promon’s publication of a new type of Android banking malware called Snowblind, which, like FjordPhantom, attempts to evade detection methods and stealthily exploit the operating system’s Accessibility Services API.
“Snowblind performs the usual repackaging attacks, but uses a lesser known technique based on seccomp that can circumvent many anti-tamper mechanisms,” the company said.
“Interestingly, FjordPhantom and Snowblind are targeting apps in Southeast Asia and leveraging powerful new attack techniques, which seems to indicate a high level of sophistication among malware authors in the region.”
“While updates made to the CapraRAT code between the September 2023 campaign and the current campaign are minimal, they suggest the developers are focusing on making the tool more reliable and stable,” Delamotte said.
“The decision to move to a newer version of the Android OS is logical and likely consistent with the group’s ongoing targeting of individuals in the Indian government and military sectors who are unlikely to use devices running older versions of Android, such as Lollipop, which was released eight years ago.”
The revelation comes in the wake of Promon’s publication of a new type of Android malware called Snowblind, which, like FjordPhantom, attempts to evade detection methods and stealthily exploit the operating system’s accessibility services API.
“Snowblind performs the usual repackaging attacks, but uses a lesser known technique based on seccomp that can circumvent many anti-tamper mechanisms,” the company said.
“Interestingly, FjordPhantom and Snowblind are targeting apps in Southeast Asia and leveraging powerful new attack techniques, which seems to indicate a high level of sophistication among malware authors in the region.”
