A politically motivated threat actor has launched a new malware campaign targeting Android devices.
Researchers with SentinelLabs said that a Pakistani state-backed hacking crew known as Transparent Tribe launched a new tool dubbed CapraRAT. The trojan is intended to spy on user activity, with users in India being the primary targets.
As with previous campaigns by Transparent Tribe, CapraRat disguises itself as various popular Android apps. In this case, TikTok, Forgotten Weapons, and a "Sexy Videos" app are used as lures, as is a mobile game known as "Crazy Games."
When the targets launch the malware, the fake app simply redirects the device to the relevant site or YouTube channel in order to make the targets think they are running a legitimate app.
In the meantime, the malware itself is able to perform a number of covert functions, including tracking GPS position, reading user SMS messages and contacts, manage network connections, and track user browsing.
While the malware itself is considered a remote access trojan (RAT) the researchers said they believed that CapraRAT is more likely being used as covert spyware and a surveillance tool rather than a backdoor or remote control malware.
The use of fake apps to disguise malware has long been a popular method for infecting mobile devices. Transparent Tribe, for example, previously conducted a trojan campaign centered on another saucy vids app.
“The new campaign continues that trend with the Sexy Videos app,” the SentinalLabs team noted.
“While two of the previously reported apps launched only YouTube with no query, the YouTube apps from this campaign are each preloaded with a query related to the application’s theme.”
The SentinelLabs crew noted that the malware writers appear to be getting more experienced and sophisticated with their coding practices.
“The new campaign’s apps ran smoothly on this modern version of Android,” the researchers explained.
“The September 2023 campaign apps prompted a compatibility warning dialog, which could raise suspicion among victims that the app is abnormal.”
Users are advised to obtain their software from trusted app stores and be weary of any apps that seek unusually invasive permissions and hardware access.
