A Pakistani hacker who has been targeting Indian entities has been found to be spreading malware via fake YouTube apps. The hacker has been linked to a number of attacks on Indian government and military websites in recent months.
According to the cybersecurity company SentinelOne, the CapraRAT toolset has been used for surveillance against spear-phishing targets privy to affairs involving the disputed region of Kashmir, as well as human rights activists working on matters related to Pakistan.
The hacker most recently targeted the Indian education sector.
“CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects,” said security researcher Alex Delamotte.
CapraRAT is an Android framework that hides RAT features inside of another application.
According to the report, Transparent Tribe spreads Android apps outside of the Google Play Store, relying on self-run websites and social engineering to lure users to install a weaponized application.
Earlier this year, the group distributed CapraRAT Android apps disguised as a ‘dating service’ that conducted spyware activity.
Moreover, the report found that one of the newly identified APKs reached out to a YouTube channel belonging to Piya Sharma, which has several short clips of a woman in various locales.
This APK also borrowed the individual’s name and likeness, suggesting that the hacker “continues to use romance-based social engineering techniques to convince targets to install the applications and that Piya Sharma is a related persona”.
Upon installation, the apps request intrusive permissions that allow the malware to harvest and exfiltrate sensitive information to a hacker-controlled server with notable features such as — recording with the microphone, front & rear cameras, collecting SMS and multimedia message contents, call logs, sending SMS messages, blocking incoming SMS, initiating phone calls, and more, the report said.
“Transparent Tribe is a perennial actor with reliable habits. The relatively low operational security bar enables swift identification of their tools,” Delamotte said.
“Individuals and organizations connected to diplomatic, military, or activist matters in the India and Pakistan regions should evaluate defense against this actor and threat,” he added.
