In a sophisticated cyber espionage effort, Indian and Pakistani Android users are being targeted by a campaign deploying trojanized messaging apps. Operated by the Pakistan-linked advanced persistent threat group known as Transparent Tribe, also referred to as APT36, this campaign has been luring victims into installing apps embedded with CapraRAT spyware through romance scams. These apps, appearing as legitimate messaging services named MeetsApp and MeetUp, are actually fronts for exfiltrating sensitive data from victims’ devices.
The campaign utilizes the CapraRAT backdoor, a derivative of the open-source AndroRAT, akin to CrimsonRAT, indicating the high level of sophistication and the targeted nature of these attacks. Transparent Tribe, active since at least 2016, has been known for its cyberespionage operations aimed at collecting information beneficial to Pakistani military and diplomatic interests.
The operational security lapses by the operators of this campaign have inadvertently exposed personal identifiable information of the victims, allowing researchers to identify over 150 individuals primarily located in India, with others in Pakistan, Oman, Egypt, and Russia. Victims were tricked into downloading the trojanized apps through initial contact on different platforms, where they were convinced of the apps’ enhanced security features.
Furthermore, the campaign has been observed using various tactics to ensnare government and military officials, including the use of COVID-19 themed lures and decoys containing advisories targeting employees of the Government of India. This tactic, along with the use of themes related to the 7th Indian Central Pay Commission (7th CPC) in malicious documents, signifies the targeted approach of Transparent Tribe towards Indian government personnel.
The malicious apps facilitated by this campaign, once installed, grant the backdoor full functionality, including access to contacts, call logs, SMS messages, external storage, and the ability to record audio. This comprehensive access allows for a wide range of sensitive information to be exfiltrated from the victim’s device, underlining the severe privacy and security implications of the campaign.
This ongoing campaign underscores the evolving threat landscape in the region and the critical need for heightened cybersecurity awareness and practices among individuals and organizations alike.
