1.0 Introduction
Recently, MyCERT has been aware of a new campaign launched from The APT36 hacking group, also known as 'Transparent Tribe,' targeting Android users in India and Pakistan using clones YouTube application.
That clone YouTube app to infect devices with their signature remote access trojan (RAT), 'CapraRAT.' Once the malware is installed on a victim's device, it can harvest data, record audio and video, or access sensitive communication information, essentially operating like a spyware tool.
The malicious APKs are distributed outside Google Play, Android's official app store, so the victims are most likely socially engineered to download and install them.
The APKs were uploaded to VirusTotal in April, July, and August 2023, with two of them being called 'YouTube' and one 'Piya Sharma' associated with the channel of a persona likely used in romance-based tactics.
Figure 1: The interface of the malicious apps attempts to imitate Google's real YouTube app, but it resembles a web browser rather than the native app due to using WebView from within the trojanized app to load the service. Also, it misses several of the features available on the actual platform.
2.0 Impact
Once the CapraRAT is up and running on the device, it performs the following actions:
- Recording with the microphone, front & rear cameras
- Collecting SMS and multimedia message contents, call logs
- Sending SMS messages, blocking incoming SMS
- Initiating phone calls
- Taking screen captures
- Overriding system settings such as GPS & Network
- Modifying files on the phone's filesystem
Figure 2: Screenshot during installation, the malware apps request numerous risky permissions, some of which the victim might treat without suspicion for a media streaming app like YouTube.
3.0 Affected Products
Android mobile devices
4.0 Recommendations
To protect your personal data and privacy, it is imperative that you take the following actions immediately:
- Avoid Third-party App Stores: Download apps only from trusted sources, such as Google Play, to minimize the risk of downloading malicious applications.
- Verify App Permissions: Review the permissions requested by an app during installation. Be cautious if an app requests unnecessary permissions.
- Keep Software Updated: Ensure your Android device's operating system and apps are up-to-date with the latest security patches.
- Security Software: Install reputable antivirus or anti-malware software to detect and remove threats on your Android device.
- Regular Backups: Regularly back up your data to prevent data loss in case of an attack.
- Exercise Caution: Be vigilant when downloading apps, especially if they are outside of official app stores. Avoid clicking on suspicious links or downloading attachments from unknown sources.
Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.
For further enquiries, please get in touch with MyCERT through the following channels:
E-mail: cyber999[at]cybersecurity.my
Phone: 1-300-88-2999 (monitored during business hours)
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 -18:00 MYT
Web: https://www.mycert.org.my
Twitter: https://twitter.com/mycert
Facebook: https://www.facebook.com/mycert.org.my
5.0 References
https://www.bleepingcomputer.com/news/security/apt36-state-hackers-infect-android-devices-using-youtube-app-clones/
https://www.techworm.net/2023/09/hacker-fake-youtube-apps-android.html
https://www.securityweek.com/pakistani-apt-uses-youtube-mimicking-rat-to-spy-on-android-devices/