CapraRAT malware targeting Android users with fake apps
A politically driven threat actor has unleashed a fresh malware offensive targeting Android devices.
Experts at SentinelLabs have identified a new tool, CapraRAT, deployed by the Pakistani state-sponsored hacking group Transparent Tribe. This sophisticated trojan is designed to monitor user activities, with Indian users being the primary focus.
Echoing its past strategies, Transparent Tribe’s CapraRAT masquerades as well-known Android apps. This time, it impersonates TikTok, Forgotten Weapons, a “Sexy Videos” app, and a mobile game called “Crazy Games.”
When unsuspecting users launch these fake apps, they are redirected to the actual websites or YouTube channels, creating an illusion of legitimacy. Meanwhile, the malware operates in the background, executing covert tasks such as tracking GPS location, reading SMS messages and contacts, managing network connections, and monitoring browsing activities.
Though CapraRAT functions as a remote access trojan (RAT), researchers believe its primary purpose is to act as stealthy spyware and a surveillance tool, rather than a typical backdoor or remote control malware.
The tactic of using fake apps to hide malware is not new. Transparent Tribe has previously conducted similar operations, including a campaign centered on another provocative video app.
“The new campaign continues this trend with the Sexy Videos app,” noted the SentinelLabs team. “Unlike earlier apps that merely launched YouTube without a query, the current campaign’s YouTube apps come preloaded with queries related to the app’s theme.”
The SentinelLabs researchers observed that the malware developers are becoming more adept and sophisticated in their coding.
“The apps from the new campaign run seamlessly on modern versions of Android,” the researchers explained. “In contrast, the apps from the September 2023 campaign triggered compatibility warnings, which could have alerted users to the abnormality of the apps.”
Users are advised to download software exclusively from trusted app stores and remain cautious of apps requesting unusually invasive permissions and hardware access.
