Friday, March 1, 2024

CapraRAT Android Malware Hijack Android Phones Mimicking YouTube App

The suspected Pakistani group Transparent Tribe is known for targeting the military, diplomats, and now the Indian education sector. 

While outside the Play Store, they distribute weaponized Android apps via self-run sites and social engineering tactics.

The cybersecurity researchers at Sentinel Labs recently reported that the threat actors behind this group are actively exploiting the CapraRAT Android malware to hijack Android devices by mimicking the YouTube app.

The organization has been employing the malware CapraRAT, which hides RAT functionalities within programs, since 2018. Threat actors utilized it to monitor Pakistani human rights activists and Kashmir-related issues.

Malware Hijack Android Phones

However, besides this, the group disguised CapraRAT as a dating app for several illicit and spyware activities in early 2023.

An APK connects to a YouTube channel owned by Piya Sharma, borrowing her name and likeness, indicating the group’s continued use of romance-based social engineering.

Piya Sharma app (Source – Sentinel Labs)

CapraRAT offers data harvesting and exfiltration capabilities with the following notable features:-

Recording with the microphone

Recording with the front camera

Recording with the rear camera

Collecting SMS

Collecting multimedia message contents

Collecting call logs

Sending SMS messages

Blocking incoming SMS

Initiating phone calls

Taking screen captures

Overriding system settings

On the phone’s filesystem, modifying files


FREE Webinar

Live DDoS Attack Simulation

Attend the Live DDoS Website & API Attack Simulation webinar to gain knowledge on various types of attacks and how to prevent them.

CapraRAT Mimicking YouTube App

CapraRAT, initially dubbed by Trend Micro, was found to bear hints of AndroRAT in its Android APK distribution.

Researchers identified several YouTube-themed CapraRAT APKs and analyzed three samples among them. Here below we have mentioned them:-

8beab9e454b5283e892aeca6bca9afb608fa8718 – yt.apk

83412f9d757937f2719ebd7e5f509956ab43c3ce – YouTube_052647.apk

14110facecceb016c694f04814b5e504dc6cde61 – Piya Sharma.apk

On launch, CapraRAT’s MainActivity loads YouTube in a WebView, offering a distinct user experience compared to the native Android app.

Small snippet of the load_web (Source – Sentinel Labs)

CapraRAT exhibits varying file structures in different apps since it’s a versatile Android framework. The following files were found when the security analysts analyzed all three CapraRAT APKs:-

Name: yt.apk

Configuration: com/media/gallery/service/settings

Version: MSK-2023

Main: com/media/gallery/service/MainActivity

Malicious Activity: com/media/gallery/service/TPSClient

Name: YouTube_052647.apk

Configuration: com/Base/media/service/setting

Version: A.F.U.3

Main: com/Base/media/service/MainActivity

Malicious Activity: com/Base/media/service/TCHPClient

Name: Piya Sharma.apk

Configuration: com/videos/watchs/share/setting

Version: V.U.H.3

Main: com/videos/watchs/share/MainActivity

Malicious Activity: com/videos/watchs/share/TCPClient

MainActivity drives core features, enabling persistence via Autostarter in the onCreate method. It initializes mTCPService as TPSClient and schedules an alarm to run every minute.

The RAT’s key activity, TPSClient, resembles Extra_Class, which contains over 10,000 lines of Smali code. TPSClient handles CapraRAT commands through a run method, with switch statements linking commands to methods. 

The notable changes include the hideApp method’s behavior based on the Android version and config settings, possibly due to OS changes post-Android 9.

CapraRAT’s config file stores the C2 server as SERVERIP and port values in hexadecimal Big Endian format, converting to port 14862, 18892, and 10284 for specific APKs.

Defensive & Preventative Measures

Here below, we have mentioned all the recommended security measures:-

Make sure to stick to Google Play for Safe Android Apps.

Always beware of the new social apps in your feed that are advertised within social media networks.

Always remain vigilant while giving permissions to apps.

Avoid installing third-party app duplicates on your device.

Do not allow any critical permissions to any unfamiliar apps.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

The post CapraRAT Android Malware Hijack Android Phones Mimicking YouTube App appeared first on Cyber Security News.

   Read More 

Cyber Security News