Skip to content

APT36 expands AndroidRAT campaign using fake persona as lure

  • by
  • 4 min read

Transparent Tribe, or APT36, a Pakistan-based threat actor group, has expanded its Android Remote Access Trojan (RAT) campaign targeting the Indian and Pakistani military, diplomatic and education sectors.

The group is known for using an Android framework known as CapraRAT, a sophisticated tool designed to conceal RAT features within seemingly harmless copies of popular apps like Youtube — often offering paid features for free.

The current campaign by Transparent Tribe involves utilising romance-based social engineering techniques to trick users into installing their applications.

One of the newly identified APKs reaches out to a Youtube channel owned by Piya Sharma, borrowing the individual’s name and likeness, while features several Shorts that includes women.

According to researchers from SentinelLabs, the group has been active since 2018, when it deployed CapraRAT to conduct surveillance on spear-phishing targets connected to the Kashmir region and human rights activists focused on Pakistan-related issues. The group relies on distributing Android apps outside the Google Play Store, using self-run websites and social engineering to lure unsuspecting users into installing malicious apps.

Researchers also discovered earlier this year the group distributed CapraRAT Android apps disguised as a dating service, demonstrating their evolving and deceptive tactics. The malware was designed to gather data on demand and exfiltrate it, granting malicious actors extensive control over infected devices.

The fake app showcases the Youtube website. | Source: SentinelLabs

The Youtube-themed CapraRAT APKs are disguised as the Youtube app, using a Youtube icon. These apps request a range of permissions, some of which, such as microphone access, can be justified for recording or search features. However, others, like SMS access, appear irrelevant to the expected app behaviour.

When launched, the trojanised CapraRAT app opens a WebView object to load the Youtube website, providing users with a different experience than the native Youtube app.

CapraRAT, when launched by these malicious actors on a victim’s device, can:

  • Record with microphone and camera.
  • Collect SMS and call logs.
  • Send and block SMS.
  • Start a phone call.
  • Take screenshots.
  • Override system settings, including GPS and Network.
  • Modify system files.

CapraRAT’s key components

The configuration file holds default settings and version metadata. CapraRAT APK aligns with the convention used for Transparent Tribe’s Windows tool, CrimsonRAT, but the researchers have observed no direct relationship between these versions and C2 domains.

MainActivity is responsible for the application’s core features and sets persistence through the onCreate method, leveraging Autostarter to launch the app automatically. The TPSClient, initialised as mTCPService schedules regular alarms for the app to run and maintain persistence.

TPSClient serves as the core functionality of CapraRAT and is responsible for executing commands invoked through a series of switch statements.


Command and Control (C2) infrastructure

A list of permissions required for the fake app. | Source: SentinelLabs

CapraRAT’s configuration file contains the C2 server address and port information, often in hexadecimal format. The group uses Windows Server infrastructure to host the CapraRAT C2 application, with C2 servers associated with Remote Desktop Protocol (RDP) ports.

Domains associated with Transparent Tribe’s C2 infrastructure have been identified by researchers, including sharebox[.]net and ptzbubble[.]shop, with historical associations to DNS tunnelling lookups suggesting broader campaign connections.

Researchers suggest activists refrain from installing Android apps outside the Google Play Store, exercise caution when contacting anyone on social media, assess the app’s permissions, and avoid installing third-party versions of applications already on their phones.

Pakistan and India have been at loggerheads not only in physical warfare but in cyberspace, too. In April, a report emerged that Pakistan-based hackers are attempting to hack Indian government agencies. In June, it was discovered that DoNotTeam, believed to be associated with India, is targeting citizens of Pakistan.

In the News: AmberSquid cryptojacking targets lesser-known AWS services

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>