APT36 Operatives Exploit Android Devices Via YouTube App Imitations
APT36 Operatives Exploit Android Devices Via YouTube App Imitations

Image: Szabo Viktor (Unsplash)

The APT36 group, also known as ‘Transparent Tribe,’ was noticed utilizing at least three Android applications that resemble YouTube to infiltrate devices with their distinct remote access trojan (RAT), named ‘CapraRAT.’

Upon successful infiltration, this malware allows the operator to gather information, capture audio and video, and even access sensitive communications, making it function akin to a spyware tool.

APT36, having connections with Pakistan, has a reputation for deploying deceptive or tampered Android apps targeting Indian defense and governmental institutions, as well as organizations concerned with the Kashmir region and human rights advocates in Pakistan.

This new operation was identified by SentinelLabs, cautioning those involved in military or diplomatic operations in India and Pakistan about Android apps mimicking YouTube and distributed via third-party platforms.

Mimicking YouTube

These malicious application packages (APKs) are available outside Google Play, Android’s legitimate store, implying that potential victims might be persuaded through manipulation to download and execute them.

These APKs surfaced on VirusTotal in April, July, and August of 2023. Among them, two were labeled ‘YouTube’ while one was titled ‘Piya Sharma’ – a name linked with a channel possibly related to deceptive romance tactics.

During the installation process, these deceptive apps request a slew of high-risk permissions that an unsuspecting user might consider normal for a media streaming platform like YouTube.

The design of these malicious applications tries to replicate the authentic YouTube app by Google. However, it looks more like a web browser than the genuine app because it utilizes WebView within the compromised app to access the service. It also lacks several features present on the original platform.

When the CapraRAT is operational on the device, it carries out several actions:

  • Audio and video recording using the device’s microphones and cameras.
  • Retrieving content from SMS and multimedia messages, as well as call records.
  • Sending SMSs, blocking incoming messages.
  • Starting phone calls.
  • Capturing screen images.
  • Overwriting configurations like GPS & Network settings.
  • Altering documents stored in the phone’s internal storage.

According to SentinelLabs, the versions of CapraRAT identified in this operation have improvements compared to earlier instances, suggesting ongoing refinement.

In terms of origin, the addresses of the C2 (command and control) servers that CapraRAT interacts with are pre-set in the app’s configuration file and have historical ties to Transparent Tribe’s endeavors.

Several IP addresses uncovered by SentinelLabs have connections to other RAT operations, but the exact interrelation between these actors is yet to be clarified.

To sum up, Transparent Tribe persists in its digital espionage pursuits in India and Pakistan, leveraging its signature Android RAT, which is now masquerading as YouTube, underlining their progressive adaptation.

SentinelLabs points out that, although Transparent Tribe’s subpar operational security renders their operations and tools relatively easy to spot, their ongoing introduction of new applications gives them a shifting advantage, consistently reaching an expanding audience of potential victims.