Do not download or install whatever the application is if it does not come directly from the Google Play Store. This simple rule can protect you from malware like Transparent Tribe, a suspected Pakistani threat actor that is hiding remote access tool (RAT) features inside another application that appears legitimate.

Transparent Tribe is believed to be a Pakistani group or actor that is targeting both military and diplomatic individuals in Pakistan as well as India. According to SentinelLabs report, the threat actors aim to target “people with knowledge of matters related to the disputed region of Kashmir, as well as human rights activists working on Pakistan-related issues.” In this effort, the group has employed CapraRAT, an Android RAT that disguises itself as a legitimate application.

YouTube Pakistani hackers are using Android apps to deliver spyware

One of the CapraRAT APKs steals YouTube’s icon and loads YouTube into a webpage in the app.

Previously, CapraRAT was disguised as a dating service, hosted on Transparent Tribe websites, which used social engineering techniques to trick users into downloading malware. Now, however, it appears that CapraRAT is disguising itself as the YouTube App Wholesale or spoofing an app for a YouTube channel belonging to Pia Sharma. This later version of CapraRAT indicates to the SentinelLabs team that “actors continue to use romance-based social engineering techniques to convince targets to install applications, and Pia Sharma is a relatable personality.”Allows Pakistani hackers to use Android apps to distribute spyware

The Pia Sharma variant of CapraRAT requests several permissions to enable spying and espionage.

regardless of How CapraRAT can come on your device, if it gets installed then it is quite scary. Researchers note that CapraRAT can record from the microphone or any camera, collect or send SMS and MMS messages, read call logs or initiate phone calls, take screenshots, override system settings, etc. Can access and modify files on the phone. Any collected data is then sent to the Transparent Tribe command-and-control (C2) server, which is linked to the group for a period of time.

With this information in mind, SentinelLabs recommends, “Individuals and organizations involved in diplomatic, military or activist matters in the India and Pakistan territories should evaluate defenses against this actor and threat.” However, this is a good opportunity for everyone in the Android ecosystem to be aware that threat actors are taking advantage of non-Play Store-distributed Android apps to distribute malware. As such, users should not install apps outside the Play Store and be wary of social engineering techniques that may lead people to install overly-permissive Android apps that may prove to be a security risk.