Resurgent Transparent Tribe deploys new Android spyware

SentinelLabs has unveiled new research indicating the resurgence of a Pakistan-aligned threat actor, Transparent Tribe, through the deployment of four new Android spyware applications. The recent findings are an extension of SentinelLabs' September 2023 investigation into the CapraTube campaign.

Transparent Tribe, also known as APT 36 or Operation C-Major, has been operational since at least 2016. The group primarily targets Indian government and military personnel through social engineering tactics, such as spear-phishing and watering hole attacks. The latest report underscores the continuation and evolution of these techniques, particularly in embedding spyware within seemingly harmless video browsing applications.

The September 2023 CapraTube campaign detailed how weaponised Android applications, masquerading as YouTube alternatives, were leveraged in suspected romance-themed contexts. The current campaign mirrors these tactics but demonstrates enhanced efforts to maximise compatibility with both older and newer Android devices. The earlier pretexts have evolved, culminating in applications designed to attract mobile gamers, weapon enthusiasts, and TikTok fans.

A critical update in the new campaign involves the replacement of older Android references with Android Oreo (Android 8.0), released in 2017. The previous versions depended on Android Lollipop (Android 5.1), which dates back to 2015 and is increasingly incompatible with modern devices.

One specific application from the initial CapraTube campaign, Piya Sharma, used a romance-themed approach. The current effort continues this trend with an app named Sexy Videos. Unlike earlier versions, which launched unsearched YouTube sessions, the new applications preload specific YouTube queries to match their themes. For instance, the TikTok app initiates a YouTube search for "Tik Toks," while the Weapons app links to the Forgotten Weapons YouTube channel, which has 2.7 million subscribers.

The identified CapraRAT APKs illustrate a consistent embedding of spyware into curated video applications. The primary intention is to appeal to a broader audience and facilitate the spyware's proliferation among mobile users interested in gaming, weaponry, or TikTok content. Although the overall functionality remains unchanged, the underlying code has been updated for better alignment with contemporary Android OS versions.

The research emphasises that the adjustments to CapraRAT's code suggest a focused effort on making the spyware more reliable and stable. This strategic move aligns with the group's aim to infiltrate devices used by Indian government or military personnel, who are less likely to employ significantly outdated Android versions such as Lollipop.

SentinelLabs advises users to scrutinise app permissions meticulously to avoid compromise by CapraRAT and similar malware. For example, an app that exclusively displays TikTok videos should not require permissions to send SMS messages, make calls, or record the screen. In incident response scenarios, it is recommended to treat associated network indicators, like the use of port 18582, as suspect. Additionally, investigating suspect apps for specific strings in the Spyware Activities & C2 section of the report can provide further safeguards.

The September and current campaigns underscore the adaptability and persistence of Transparent Tribe in employing social engineering to expand its reach. The group's continued emphasis on social engineering highlights the importance of vigilance and security measures among potential targets to mitigate the risk of spyware infiltration.