Fake YouTube Android Apps Used to Spread Malware

Advisory ID: ngCERT-2023-0037

Summary: A Pakistani-linked threat actor known as Transparent Tribe is discovered to be deploying malicious apps masquerading as YouTube to distribute CapraRAT mobile remote access trojan (RAT) to Android devices. This underscores the need for individuals particularly in sensitive positions and organisations to take proactive steps to forestall such malicious activities.

Threat Type(s): Malware

Damage/Probability: CRITICAL/HIGH

Description: The malicious apps utilized in these infiltrations are distributed outside of Google Play, the official Android app store, suggesting that victims are likely tricked into downloading and installing them. Two of these apps have been identified to pose as ‘YouTube’,  one of which reaches out to a YouTube channel belonging to "Piya Sharma", indicating that the adversary uses romance-based phishing techniques to entice targets into installing the applications.

During installation, these malware apps request for permissions that might initially appear harmless for a media streaming app like YouTube. However, the interface of the apps lacks certain features as the genuine YouTube app but rather functions more like a web browser due to the use of WebView within the trojanized app. Once these permissions have been granted, CapraRAT becomes active on the device, and could serve as a functioning spyware tool. Subsequently, it performs actions such as recording through the microphone and cameras, collecting SMS and call logs, sending SMS messages, taking screen shots, modifying system settings, including accessing and modifying files on the device’s filesystem.

Consequences: A successful download and execution of the CapraRAT Malware on an Android device could have negative consequences. When the apps are installed on a victim’s device, they can collect data, record audio and video, initiate phone calls, as well as gain access to sensitive communication information.

Solution: The following precaution should be heeded to:

1. Android users should never install Android applications distributed outside of the Google Play store itself.
2. Avoid downloading new social media applications advertised within social media communities.
3. Evaluate the permissions requested by an application that you download, particularly for new or previously unfamiliar apps, to ensure you are not being exposed to risk.
4. Never install a third-party version of an application that's already present on their device.

References:

• https://www.hackread.com/fake-youtube-android-apps-caprarat/
• https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/
• https://thehackernews.com/2023/09/transparent-tribe-uses-fake-youtube.html