Researchers found a new malware campaign from the long-known CapraRAT Android spyware that impersonates legit apps. This time, the spyware mimics apps to target TikTok users, gamers, and other user groups.
CapraRAT Spyware Mimics Android Apps To Trick Users
According to a recent post from SentinelLabs, their researchers observed a new CapraRAT Android spyware campaign aimed at specific user groups, including TikTokers and gamers.
As explained, the researchers found four new APKs posing various apps, some even hiding behind legit applications. To help users potentially running the malicious applications on their devices, below we list the application and package names to spot.
- Crazy Game (com.maeps.crygms.tktols): An app impersonating the legit gaming platform “Crazygames.com” to trick gamers.
- Sexy Videos (com.nobra.crygms.tktols): An app redirecting to YouTube videos.
- TikToks (com.maeps.vdosa.tktols): An app mimicking TikTok video platform, aimed at targeting TikTok users.
- Weapons (com.maeps.vdosa.tktols): This app, bearing the logo “Forgotten Weapons” (mimicking a YouTube channel of the same name) aims at weapon fans.
While all these four apps seemingly aim to serve different user groups, all of them work similarly, hinting at the widespread radius of this CapraRAT campaign.
The Recent Campaign Exhibits A Sneaky Behavior
In brief, the attack begins when a victim user downloads any of these apps. Upon installation, the app asks several intrusive permissions from the users, including access to SMS, contacts, GPS location, read/write access to storage, camera, audio recording, screen recording, call history, permission to make calls, and manage network state.
As obvious, many of these permissions are really not necessary for a gaming or video app, which must raise alarms to the user. However, most users do not focus on individual app permissions, thus falling prey to such threats.
Besides these permissions, the new malware variant also exhibits a WebView feature to launch links to legit sites to trick users. Moreover, the malware now appears more of a spyware than a backdoor (unlike its previous campaigns) as it ditches permissions to install packages or authenticate accounts. This sneaky behavior may even trick the most savvy users, staying under the radar for extended periods.
CapraRAT is a known Android spyware belonging to a suspected Pakistani state-actor group, Transparent Tribe (aka APT 36, Operation C-Major). This group, known since 2016, has run numerous malicious campaigns against users, particularly targeting Indian victims.
Let us know your thoughts in the comments.