APT group targets military in India and Pakistan via malicious Android messaging apps

A group of suspected government-sponsored hackers is targeting citizens of India and Pakistan via malicious Android messaging apps in a campaign to steal sensitive information.

Researchers at cybersecurity firm ESET said the attacks, which were directed by an APT group they called the “Transparent Tribe,” targeted allegedly secure messaging and apps that contained a backdoor called CapraRAT.

The backdoor allowed hackers to exfiltrate sensitive information from victim devices. The campaign, which started last July and is still active, targets people with a military or political background.

The hackers used “honeytrap lures” to lure their targets into downloading apps called MeetsApp and MeetUp.

“Usually it’s not difficult to find a mobile number or an email address that they can use for the first contact,” explained ESET researcher Lukáš Štefanko, who discovered the campaign while analyzing a malware sample posted on Twitter.

ESET researchers believe victims were initially directed to the sites through romance scams, in which targets were encouraged to switch to supposedly safer platforms controlled by hackers.

Backdoor apps can record phone calls and ambient sounds, take screenshots and photos, and receive commands to download files, make calls, and send SMS messages.

The campaign appears to be highly targeted, with none of the apps available on Google Play.

ESET researchers managed to exploit the app’s weak security and found the personal data of 150 victims – most from India and Pakistan, but several from Russia, Oman and Egypt.

Transparent Tribe, also known as APT36, is suspected to be based in Pakistan and has been active since at least 2013, according to MITER cybersecurity experts. It primarily targets “diplomatic, defense and research organizations in India and Afghanistan.”

The IP addresses used by hackers in this latest campaign link their apps and websites to Transparent Tribe, the researchers said. Both domains were registered in July 2022.

According to ESET, the group began targeting Android users in 2021 with a variety of malware.

“Both applications are based on the same legitimate code contained in the CapraRAT backdoor Trojan panic. It appears that the messaging features were either developed by a threat actor or found (possibly purchased) online, as we were unable to identify its origin,” Eset said.

The Record previously reported on two separate campaigns allegedly linked to Transparent Tribe. In July 2021, a cyber espionage group was observed targeting Indian citizens with government and military-style baits in a broad campaign to infect victims with malware.

While this campaign has been attributed to a group called “SideCopy,” researchers say many of its operations are very similar to previous campaigns by APT36 or Transparent Tribe.

In another 2021 campaign attributed to the same group, threat actors created and operated a fake Android app store to target and infect people associated with the former government of Afghanistan before and during the fall of the new Taliban regime.

Hackers created fake profiles on the platform, typically posing as young women, and approached targets to trick them into clicking on malicious links, according to Facebook security researchers. These links redirected victims to phishing sites that collected login credentials or, in some cases, to fake app stores with malware-infected Android apps.

Jonathan Greig

Jonathan Greig is a Breaking News reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before moving back to New York, he worked for news agencies in South Africa, Jordan, and Cambodia. He previously covered cybersecurity for ZDNet and TechRepublic.

See also  Thai banking apps will require facial scanning for transfers from June