HQ/EMEAFind out how we can help your business
The APT36 state-sponsored hacking group (aka Transparent Tribe) uses YouTube app clones to infiltrate Android devices in India and Pakistan. These cloned apps allegedly contain the notorious ‘CapraRAT,’ a remote access trojan that could turn smartphones into spyware tools.
The modus operandi of APT36 starts by developing at least three Android apps that resemble YouTube, luring unsuspecting victims. Once these users download counterfeit apps from third-party sites, the launch of the RAT will initiate in the device.
The malware could establish persistence in an infected device by blending with the network and becoming a silent observer that monitors the host’s every move. Additionally, CapraRAT could harvest sensitive data, record audio and video, and access confidential information.
The operators of these YouTube app clones use social engineering tactics.
The primary method of APT36 to spread these YouTube app clones is social engineering. These fake apps request users to grant permissions during installation, some of which might not raise suspicions in the context of a media streaming app like YouTube.
In addition, these malicious applications impersonate Google’s legitimate YouTube app to deceive users more effectively. However, a closer look reveals discrepancies, as the malware-laden apps utilise WebView to load the service, giving them the appearance of a web browser. Additionally, several features on the legitimate YouTube platform are not present in the fake app.
Once CapraRAT gains control of the device, it can activate the microphone and cameras to record audio and video, collect SMS and multimedia messages, and even initiate phone calls. Furthermore, the RAT could take screenshots, override system settings, and manipulate files on the device’s filesystem.
The CapraRAT variants in this recent campaign show enhancements compared to previously analysed samples, indicating that APT36 has continuously upgraded their tools. The command-and-control server addresses are similar to the past Transparent Tribe activities, implying that APT36 is the culprit of these attacks.
APT36 remains a persistent and adaptable threat in cyber espionage by applying disguising techniques in its Android RAT. Those involved in military or diplomatic affairs in India and Pakistan and human rights activists should be cautious about these YouTube Android apps from unofficial sources since this campaign targets individuals in these regions.
