A threat actor known as Transparent tribe continued to release malware-laden Android apps as part of a social engineering campaign targeting people of interest.
“These APKs continue the group’s trend of embedding spyware into select video viewing apps with a new extension targeting mobile gamers, gun enthusiasts, and TikTok fans,” SentinelOne Security Researcher Alex Delamotte. said in a new report shared with The Hacker News.
A company called CapraTube was outlined for the first time by a cybersecurity company in September 2023, in which a hacking group used weaponized Android apps that mimic legitimate apps like YouTube to deliver spyware called CapraRAT, a modified version of AndroRAT with the ability to collect a wide range of sensitive data.
The transparent tribe, suspected to be of Pakistani origin, took the levers CapraRAT for over two years in attacks on Indian government and military personnel. In the past, the group has leaned towards phishing attacks and attacks to spread various Windows and Android spyware.
“The activity highlighted in this report shows the continuation of this technique with updates to the basics of social engineering, as well as efforts to maximize the compatibility of the spyware with older versions of the Android operating system while expanding the attack surface to include modern versions of Android,” Delamotte explained.
The list of new malicious APKs detected by SentinelOne is as follows –
- Crazy Game (com.maeps.crygms.tktols)
- Sexy Videos (com.nobra.crygms.tktols)
- TikTok (com.apps.apps.keyboards)
- Weapons (com.maeps.vdosa.tktols)
CapraRAT uses WebView to launch a YouTube URL or a mobile game site called CrazyGames(.)com, while in the background it abuses its permissions to access locations, SMS messages, contacts, and call logs; make phone calls; take screenshots; or record audio and video.
A notable change in the malware is that permissions such as READ_INSTALL_SESSIONS, GET_ACCOUNTS, AUTHENTICATE_ACCOUNTS, and REQUEST_INSTALL_PACKAGES are no longer requested, indicating that threat actors are looking to use it as a tracking tool rather than a backdoor.
“CapraRAT code updates between the September 2023 campaign and the current campaign are minimal, but developers are believed to be focused on making the tool more robust and stable,” Delamotte said.
“The decision to move to newer versions of the Android OS is logical and likely coincides with the group’s continued targeting of people in the Indian government or military space who are unlikely to use devices running older versions of Android, such as Lollipop, which was previously . released 8 years ago.”
The disclosure comes after Promon discovered a new type of Android banking malware called Snowblind, which is similar to FjordPhantomattempts to bypass detection methods and use the operating system’s accessibility services API in a stealthy manner.
By using seccomp’s functionality to intercept and manipulate system calls, it not only allows malware to subvert security checks and fly under the radar, but also to steal credentials, export data, and disable features such as two-factor authentication (2FA) or biometric verification. .
“Snowblind (…) performs a common repackaging attack, but uses a lesser-known technique based on seccomp which is capable of bypassing many mechanisms against unauthorized access,” the company said in a statement said.
“Interestingly, FjordPhantom and Snowblind target applications from Southeast Asia and use powerful new attack techniques. This seems to indicate that malware writers in this region have become extremely sophisticated.”