CapraRAT Impersonates YouTube to Hijack Android Devices

A known Pakistan-linked threat actor is dangling romance-based content lures to spread Android-based spyware that mimics YouTube to hijack Android devices. In this way, threat actors gain almost total control over victims' mobile phones for cyber-espionage and surveillance activity.

Researchers from SentinelLabs have identified three Android application packages (APKs) linked to CapraRAT (a remote access Trojan) from Transparent Tribe, they revealed in a blog post published Sept. 18.

Two of the packages aim to trick users into downloading what they think is the legitimate YouTube app, and a third uses romance-based social engineering by reaching out to a YouTube channel belonging to a persona called "Piya Sharma," which includes uploads of several short clips of a woman in various locations.

"These apps mimic the appearance of YouTube, though they are less fully featured than the legitimate native Android YouTube application," SentinelLabs security researcher Alex Delamotte wrote in the post.

Transparent Tribe, also known as APT36 and Earth Karkaddan, is a Pakistani threat group that's been active since 2013 and typically targets military and diplomatic personnel in both India and Pakistan, with more recent campaigns targeting India's education sector. The group also was active during COVID-19 as part of a wave of attacks against remote workers.

Hiding in Malicious Android Apps

Transparent Tribe tends to use Android-based spyware in attacks, though it's also hidden malicious payloads behind malicious Office documents. CapraRAT, discovered and named by TrendMicro early last year, is the group's latest weapon of choice against Android users with a notably identifiable structure — the malware is ostensibly an Android framework that hides RAT features inside of another application.

Transparent Tribe distributes Android apps delivering malware outside of the Google Play Store, relying on self-run websites and social engineering to convince users to install a weaponized application. In a campaign earlier this year, the group also distributed CapraRAT via Android apps disguised as a dating service, which has become a common lure theme for delivering the malware.

"The group's decision to make a YouTube-like app is a new addition to a known trend of the group weaponizing Android applications with spyware and distributing them to targets through social media," Delamotte wrote.

Transparent Tribe has wielded CapraRAT mainly against targets who have insight or information related to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan, she added.

CapraRAT Doing RAT Things

The researchers identified and analyzed three YouTube-themed CapraRAT APKs — two disguised as YouTube itself that borrow the video-sharing service's icon, and the third called Piya Sharma that uses the previously mentioned YouTube persona's image and likeness.

"This theme suggests that the actor continues to use romance-based social engineering techniques to convince targets to install the applications, and that Piya Sharma is a related persona," Delamotte wrote.

Once downloaded, the malicious app requests several device permissions, some that make sense for YouTube — such as taking photos and videos, and gaining microphone access. Other requested permissions — such as the ability to send, receive, and read SMS messages — reflect CapraRAT's bad intent.

Other capabilities of CapraRAT on a compromised Android device include: finding accounts on the device; accessing contact lists; and reading, modifying, and/or deleting contents of a device's SD card.

When the app is launched, it uses a WebView object to load YouTube's website in a way that's different than the native YouTube app for Android. In fact, it's more "akin to viewing the YouTube page in a mobile web browser," Delamotte wrote.

Defense Measures Against Android Spyware

SentinelLabs is warning individuals and organizations connected to diplomatic, military, or activist matters in India or Pakistan to be wary of attacks by Transparent Tribe, and this campaign in particular's impersonation of YouTube to lure victims.

Android users should never install Android applications distributed outside of the Google Play store itself and also avoid downloading new social media applications advertised within social media communities.

In addition to those commonsense measures, people also should evaluate the permissions requested by an application that they download, particularly for new or previously unfamiliar apps, to ensure they are not being exposed to risk. Further, SentinelLabs advises they should never install a third-party version of an application that's already present on their device.