APT36 hacking group uses fake YouTube apps to spread malware

Hotstar in UAE
Hotstar in UAE

Threat actors are always looking out for new ways to dupe unsuspecting users and gain unauthorized access to their devices. Now, according to a new report from SentinelLabs, the Pakistani hacking group APT36 has turned to fake YouTube apps loaded with a remote access trojan (RAT) known as ‘CapraRAT,’ which harvests data, records audio, and captures sensitive information.

As per the report, the attackers are orchestrating attacks on the Indian defense and government entities. As well as individuals involved in the Kashmir region, and even human rights activists in Pakistan. However, what sets this campaign apart is the fact that, instead of using traditional channels of spreading malware, such as the Play Store, hackers are spreading such apps through third-party app stores. This suggests that they are most likely enticing users through clever social engineering techniques.

Moreover, one is named after a fictional character named Piya Sharma. Which suggests that the threat actors are actively employing romance-based tactics.

How does the YouTube malware work?

During the installation process, these malicious apps request a range of permissions, seemingly justified for a YouTube app. However, underneath all this, the app deploys the CapraRAT malware and initiates various invasive procedures.

This includes recording audio and video through the device’s microphone and cameras. In addition to gathering SMS and multimedia message contents, call logs, sending SMS messages, blocking incoming SMS, initiating phone calls, capturing screenshots, altering system settings like GPS and network configurations, and modifying files within the phone’s filesystem. Once collected, the app then transmits the data to the group’s command and control server.

However, it is important to note that while the group’s tactics may be recognizable, their continuous creation of new apps gives them an advantage. As a result, it’s even more important to remain vigilant and adopt robust security practices. These practices involve abstaining from installing apps from sources outside the Play Store, exercising caution with social media apps, and thoroughly evaluating the permissions requested by any app.

2023-09-20 15:06:52