A sophisticated malware campaign targeting Android devices has been uncovered by researchers at cybersecurity firm SentinelOne. The hackers, a group called Transparent Tribe with suspected ties to Pakistan, are spreading malware known as CapraRAT through fake versions of popular apps like YouTube.
CapraRAT acts as a remote access trojan, allowing hackers to gain complete control over compromised devices. Once installed, it has extensive monitoring and data extraction capabilities. The malware can record audio and video through a device’s microphone and cameras, collect SMS messages and call logs, initiate calls and SMS texts, override system settings like GPS, take screenshots, and more.
Transparent Tribe has previously targeted military personnel, diplomats, human rights activists, and others involved in Kashmir affairs through spear-phishing campaigns. The fake Android apps are the latest evolution of their techniques for compromising devices of targeted individuals.
According to Times of India, Researchers found apps named after their legitimate counterparts, such as “com.Base.media.service” masquerading as YouTube. The hackers rely on social engineering, romance-based phishing techniques, and self-run websites to distribute the apps and trick users into installing them.
Unlike apps on the Google Play Store, these fake apps are distributed as APK files outside of the official app marketplace. Users who install apps from third-party sites and unknown developers are especially at risk of inadvertently installing the malware.
“CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects,” said Alex Delamotte, a security researcher at SentinelOne. The malware is believed to be loosely based on the source code of a widely-used Android remote access trojan called AndroRAT.
Google Play Protect and other mobile security software may be able to detect and block some versions of the malware. But cybersecurity experts caution that users should only install apps from trustworthy sources like the Google Play Store. Enabling installation from “Unknown sources” under Android security settings increases the risk of infection from malware campaigns like CapraRAT.
The discovery highlights the increasing sophistication of hacker groups in targeting mobile devices. Users should be vigilant about scrutinizing app permissions, updating devices regularly, and using secure settings to reduce their vulnerability. Cybersecurity researchers expect Transparent Tribe’s surveillance efforts to continue evolving as they hone their techniques for compromising Android devices.