A Pakistan-linked hacking group has unleashed an updated version of its Android spyware, expanding its reach to target mobile gamers, weapons enthusiasts and TikTok users, according to cybersecurity researchers.
The researchers identified four new malicious Android apps associated with Transparent Tribe, a group suspected of ties to Pakistani state interests. The apps continue the hackers’ strategy of embedding spyware into seemingly innocuous video browsing applications.
Evolving Tactics of Transparent Tribe
Transparent Tribe, also known as APT 36, has targeted Indian government and military personnel since at least 2016. The group is known to rely heavily on social engineering to deliver Windows and Android spyware through phishing emails and compromised websites.
Researchers from SentinelLabs identified the newly discovered apps masquerading as YouTube or TikTok video players, an app for lewd videos, a mobile gaming portal, and a weapons enthusiast app. When installed, they request extensive permissions to access the device’s location, contacts, SMS messages, call logs, camera and microphone.
While the permissions requested are similar to those in the previous campaign, the reduction in permissions suggests the app developers are focused on making CapraRAT a surveillance tool more than a fully featured backdoor.
Researchers noted that the new CapraRAT APK files contained references to Android’s Oreo version (Android 8.0), released in 2017. Previous versions relied on the device running Lollipop (Android 5.1), which was released in 2015 and less likely to be compatible with modern Android devices.
The new CapraRAT packages also contain a minimal new class called WebView, responsible for maintaining compatibility with older versions of Android via the Android Support Library. This update allows the app to run smoothly on modern versions of Android, such as Android 13 and 14.
All four newly discovered apps communicate with the same command-and-control server, using either the domain shareboxs[.]net or a hardcoded IP address. This infrastructure has been linked to Transparent Tribe operations since at least 2022.
Researcher Recommendations
Cybersecurity experts recommend users exercise caution when installing apps, especially those from unofficial sources. Users should critically evaluate requested permissions and be wary of apps that ask for access unrelated to their stated purpose.
Organizations dealing with sensitive information should implement mobile device management solutions and educate employees about the risks of installing unauthorized apps. For example, an app that only displays TikTok videos does not need the ability to send SMS messages, make calls, or record the screen.
The researchers have advised professionals to treat the use of port 18582 as suspect, along with other indicators of compromise in their report, such as SHA1 checksums for files used in the campaign along with domain/IP network indicators.
