The group known as Transparent Tribe has been spreading malware-infected Android apps as part of a social engineering campaign to target specific individuals. This malicious campaign, named CapraTube, targets mobile gamers, weapons enthusiasts, and TikTok fans by embedding spyware into curated video browsing applications.
According to SentinelOne security researcher Alex Delamotte, the campaign began in September 2023 with weaponized Android apps impersonating legitimate ones like YouTube, delivering spyware called CapraRAT. Transparent Tribe, suspected to be of Pakistan origin, has used CapraRAT for over two years in attacks against the Indian government and military personnel.
The malware, CapraRAT, uses WebView to launch URLs to YouTube or CrazyGames while collecting sensitive data in the background. The group has updated the spyware to be more compatible with older Android versions and expanded the attack surface to include modern versions of the operating system.
SentinelOne identified several new malicious APK files related to the campaign, targeting individuals in the Indian government and military space. The malware aims to act as a surveillance tool rather than a backdoor into devices, indicating a shift in the group’s tactics.
Additionally, Promon recently disclosed a new type of Android banking malware called Snowblind, which utilizes advanced techniques to evade detection and exploit the operating system’s accessibility services API covertly.
