Transparent tribe expands android malware campaign
The threat actor Transparent Tribe has continued its campaign using malware-laced Android apps to target specific individuals through social engineering.
According to SentinelOne researcher Alex Delamotte, the group has embedded spyware into curated video browsing applications, expanding their target to mobile gamers, weapons enthusiasts, and TikTok fans. This campaign, named CapraTube, was first reported in September 2023. Transparent Tribe uses weaponized apps impersonating legitimate ones like YouTube to deliver spyware called CapraRAT, a modified AndroRAT capable of capturing sensitive data.
Transparent Tribe, believed to originate from Pakistan, has used CapraRAT in attacks against the Indian government and military for over two years. Their methods include spear-phishing and watering hole attacks. Recent activity suggests they are updating social engineering tactics and enhancing spyware compatibility with older Android versions while expanding to modern ones. SentinelOne identified new malicious APK files, including apps like Crazy Game and TikToks, which use WebView to launch URLs while abusing permissions to access sensitive data and perform actions like making calls and recording audio/video.
A significant update to the malware shows that fewer permissions, such as READ_INSTALL_SESSIONS and GET_ACCOUNTS, are requested, indicating a shift towards surveillance rather than backdoor access. Delamotte notes that recent changes aim to make CapraRAT more reliable and stable, aligning with targeting individuals in the Indian government or military who use newer Android versions.
In parallel, Promon has disclosed a new Android banking malware called Snowblind, similar to FjordPhantom, which bypasses detection and utilizes the accessibility services API through a technique based on seccomp. Snowblind and FjordPhantom target Southeast Asian apps and demonstrate sophisticated attack methods by malware authors in the region.
