CapraTube remix - Transparent Tribe’s Android spyware targeting gamers, weapons enthusiasts
July 2024 by SentinelOne
Transparent Tribe (aka APT 36, Operation C-Major) has been active since at least 2016 with attacks against Indian government and military personnel. The group relies heavily on social engineering attacks to deliver a variety of Windows and Android spyware, including spear-phishing and watering hole attacks.
In September 2023, SentinelLabs outlined the CapraTube campaign, which used weaponised Android applications (APK) designed to mimic YouTube, often in a suspected dating context due to the nature of the videos served. The activity highlighted in this report shows the continuation of this technique with updates to the social engineering pretexts as well as efforts to maximise the spyware’s compatibility with older versions of the Android operating system while expanding the attack surface to include modern versions of Android.
The previous CapraTube campaign had one APK called Piya Sharma that was likely used in a romance-themed social engineering pretext. The new campaign continues that trend with the Sexy Videos app. While two of the previously reported apps launched only YouTube with no query, the YouTube apps from this campaign are each preloaded with a query related to the application’s theme. The TikTok app launches YouTube with the query “Tik Toks,” and the Weapons app launches the Forgotten Weapons YouTube channel, which reviews a variety of classic ar ms and has 2.7 Million subscribers.
The most significant changes between this campaign and the September 2023 campaign are to app compatibility. The newest CapraRAT APKs SentinelLabs identified now contain references to Android’s Oreo version (Android 8.0), which was released in 2017. Previous versions relied on the device running Lollipop (Android 5.1), which was released in 2015 and is less likely to be compatible with modern Android devices.
Key points
• SentinelLabs has identified four new CapraRAT APKs associated with suspected Pakistan state-aligned actor Transparent Tribe.
• These APKs continue the group’s trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans.
• The overall functionality remains the same, with the underlying code updated to better suit modern Android devices.
Conclusion
The updates to the CapraRAT code between the September 2023 campaign and the current campaign are minimal but suggest the developers are focused on making the tool more reliable and stable. The decision to move to newer versions of the Android OS is logical and likely aligns with the group’s sustained targeting of individuals in the Indian government or military space who are unlikely to use devices running older versions of Android, such as Lollipop, which was released eight years ago.
The APK theme updates show the group continues to lean into its social engineering prowess to gain a wider audience of targets who would be interested in the new app lures, such as mobile gamers or weapons enthusiasts.
To help prevent compromise by CapraRAT and similar malware, users should always evaluate the permissions requested by an app to determine if they are necessary. For example, an app that only displays TikTok videos does not need the ability to send SMS messages, make calls, or record the screen. In incident response scenarios, treat the related network indicators of compromise as suspect, including the use of port 18582, and search suspect apps for the presence of strings using the unique method names outlined in the Spyware Activities & C2 section of this report.