CapraTube Remix | Transparent Tribe’s Android Spyware Targeting Gamers, Weapons Enthusiasts

Executive Summary

  • SentinelLabs has identified four new CapraRAT APKs associated with suspected Pakistan state-aligned actor Transparent Tribe.
  • These APKs continue the group’s trend of embedding spyware into curated video browsing applications, with a new expansion targeting mobile gamers, weapons enthusiasts, and TikTok fans.
  • The overall functionality remains the same, with the underlying code updated to better suit modern Android devices.

Overview

Transparent Tribe (aka APT 36, Operation C-Major) has been active since at least 2016 with attacks against Indian government and military personnel. The group relies heavily on social engineering attacks to deliver a variety of Windows and Android spyware, including spear-phishing and watering hole attacks.

In September 2023, SentinelLabs outlined the CapraTube campaign, which used weaponized Android applications (APK) designed to mimic YouTube, often in a suspected dating context due to the nature of the videos served. The activity highlighted in this report shows the continuation of this technique with updates to the social engineering pretexts as well as efforts to maximize the spyware’s compatibility with older versions of the Android operating system while expanding the attack surface to include modern versions of Android.

New CapraRAT APKs

SHA-1 c307f523a1d1aa928fe3db2c6c3ede6902f1084b
App Name Crazy Game signed.apk
Package Name com.maeps.crygms.tktols
SHA-1 dba9f88ba548cebfa389972cddf2bec55b71168b
App Name Sexy Videos signed.apk
Package Name com.nobra.crygms.tktols
SHA-1 28bc3b3d8878be4267ee08f20b7816a6ba23623e
App Name TikTok signed.apk
Package Name com.maeps.vdosa.tktols
SHA-1 fff24e9f11651e0bdbee7c5cd1034269f40fc424
App Name Weapons signed.apk
Package Name com.maeps.vdosa.tktols
New CapraRAT app logos
New CapraRAT app logos

The new versions of CapraRAT each use WebView to launch a URL to either YouTube or a mobile gaming site, CrazyGames[.]com. There is no indication that an app with the same name, Crazy Games, is weaponized as it does not require several key CapraRAT permissions, such as sending SMS, making calls, accessing contacts, or recording audio and video. The URL query in the CapraRAT code is obfuscated as htUUtps://www.youUUtube.com/resulUUts?seUUarch_quUUery=TiUUk+ToUUks, which is cleaned to remove occurrences of UU, resulting in https[:]//www.youtube[.]com/results?search_query=Tik+Toks.

URL deobfuscation and loading performed by CapraRAT’s load_web method
URL deobfuscation and loading performed by CapraRAT’s load_web method
Decompiled view of load_web method
Decompiled view of load_web method

The previous CapraTube campaign had one APK called Piya Sharma that was likely used in a romance-themed social engineering pretext. The new campaign continues that trend with the Sexy Videos app. While two of the previously reported apps launched only YouTube with no query, the YouTube apps from this campaign are each preloaded with a query related to the application’s theme. The TikTok app launches YouTube with the query “Tik Toks,” and the Weapons app launches the Forgotten Weapons YouTube channel, which reviews a variety of classic arms and has 2.7 Million subscribers.

TikTok and Weapons-themed CapraRAT YouTube WebView
TikTok and Weapons-themed CapraRAT YouTube WebView

The Crazy Games app launches WebView to load CrazyGames[.]com, a site containing in-browser mini games. This particularly resource-intensive site did not work well on older versions of Android during our testing.

Crazy Games CapraRAT WebView
Crazy Games CapraRAT WebView

When the app first launches, the user is prompted to grant several risky permissions, including:

  • Access GPS location
  • Manage network state
  • Read and send SMS
  • Read contacts
  • Record audio and screen, take screenshots
  • Storage read and write access
  • Use camera
  • View call history and make calls

In contrast with the previous CapraRAT campaign, the following Android permissions are no longer requested or used:

  • READ_INSTALL_SESSIONS
  • GET_ACCOUNTS
  • AUTHENTICATE_ACCOUNTS
  • REQUEST_INSTALL_PACKAGES

The reduction in permissions suggests the app developers are focused on making CapraRAT a surveillance tool more than a fully featured backdoor.

App Compatibility

The most significant changes between this campaign and the September 2023 campaign are to app compatibility. The newest CapraRAT APKs we identified now contain references to Android’s Oreo version (Android 8.0), which was released in 2017. Previous versions relied on the device running Lollipop (Android 5.1), which was released in 2015 and less likely to be compatible with modern Android devices.

We tested the APKs from this campaign and the September 2023 campaign on an Android device running Android Tiramisu aka Android 13 (2022) and Android 14 (2023). The new campaign’s apps ran smoothly on this modern version of Android. The September 2023 campaign apps prompted a compatibility warning dialog, which could raise suspicion among victims that the app is abnormal. When running on the newest released version of Android 14, the September 2023 campaign’s Piya Sharma app fails to install. Each of the newer versions ran successfully.

In all cases, the app still requests gratuitous permissions from the user that hint to the tool’s capabilities. Even if the user declines permissions, the app still runs, meaning the group has not overcome this hurdle to successfully implementing their spyware.

Piya Sharma app install failure dialog on Android 14
Piya Sharma app install failure dialog on Android 14

The new CapraRAT packages also contain a very minimal new class called WebView, which is responsible for maintaining compatibility with older versions of Android via the Android Support Library, which developers can choose to include in a project to enhance compatibility.

Spyware Activities and C2

The app’s MainActivity initiates requests for permissions. The app still runs even if permissions are not granted.

MainActivity calls the TCHPClient class, which contains the malicious capabilities leveraged by CapraRAT. This class drives several spyware classes and methods, including:

  • audioStreamer (aStreamer)
  • CallLogLister
  • CallReceiver
  • ContactsLister
  • DirLister (file browsing)
  • downloadFile
  • killFile (file deletion)
  • killProcess
  • PhotoTaker
  • SMSLister
  • SMSReceiver

These give the spyware fine-grained control over what the user does on the device.

The sendData method is responsible for constructing the data collected by other methods and classes and sending it to the C2. The mRun method constructs the socket and sends the data to the C2 server using the variables specified in the Settings class. Each of the current campaign’s APKs use the same C2 server hostname, IP address and TCP port number 18582. The Settings class also shows the same CapraRAT version identifier for each APK, A.D.0.2.

CapraRAT’s Settings class shows the tool’s configuration variables

mRun performs a connectivity check to decide whether to connect to the C2 using the hostname shareboxs[.]net or the hardcoded IP address 173[.]249[.]50[.]243. This IP address has been tied to Transparent Tribe’s CrimsonRAT and AhMyth Android RAT C2 activity since at least 2022. As of this writing, shareboxs[.]net resolves to 173[.]212[.]206[.]227.

Conclusion

The updates to the CapraRAT code between the September 2023 campaign and the current campaign are minimal, but suggest the developers are focused on making the tool more reliable and stable. The decision to move to newer versions of the Android OS are logical, and likely align with the group’s sustained targeting of individuals in the Indian government or military space, who are unlikely to use devices running older versions of Android, such as Lollipop which was released 8 years ago.

The APK theme updates show the group continues to lean into its social engineering prowess to gain a wider audience of targets who would be interested in the new app lures, such as mobile gamers or weapons enthusiasts.

To help prevent compromise by CapraRAT and similar malware, users should always evaluate the permissions requested by an app to determine if they are necessary. For example, an app that only displays TikTok videos does not need the ability to send SMS messages, make calls, or record the screen. In incident response scenarios, treat the related network indicators of compromise as suspect, including the use of port 18582, and search suspect apps for the presence of strings using the unique method names outlined in the Spyware Activities & C2 section of this report.

Indicators of Compromise

Files

SHA1 Name
28bc3b3d8878be4267ee08f20b7816a6ba23623e TikTok signed.apk
c307f523a1d1aa928fe3db2c6c3ede6902f1084b Crazy Game signed.apk
dba9f88ba548cebfa389972cddf2bec55b71168b Sexy Videos signed.apk
fff24e9f11651e0bdbee7c5cd1034269f40fc424 Weapons signed.apk

Network Indicators

Domain/IP Description
shareboxs[.]net C2 domain
173[.]212[.]206[.]227 Resolved C2 IP address, hosts shareboxs.net
173[.]249[.]50[.]243 Hardcoded failover C2 IP address