CapraRAT Android Spyware Campaign Targets Gamers, TikTokers

Researchers have discovered a new malware campaign involving the well-known CapraRAT Android spyware that is now impersonating legitimate apps. This time, the spyware is targeting TikTok users, gamers, and other specific user groups by mimicking apps.

CapraRAT Spyware Impersonates Android Apps to Deceive Users

A recent report from SentinelLabs has revealed a new CapraRAT Android spyware campaign that is targeting specific user groups such as TikTokers and gamers.

The researchers identified four new APKs posing as various apps, some of which are disguised as legitimate applications. To help users identify these malicious apps on their devices, below are the application and package names to watch out for:

• Crazy Game (com.maeps.crygms.tktols): An app pretending to be the legitimate gaming platform “Crazygames.com” to deceive gamers.
• Sexy Videos (com.nobra.crygms.tktols): An app that redirects to YouTube videos.
• TikToks (com.maeps.vdosa.tktols): An app imitating the TikTok video platform, targeting TikTok users.
• Weapons (com.maeps.vdosa.tktols): This app, with the logo “Forgotten Weapons” (mimicking a YouTube channel of the same name), aims at weapon enthusiasts.

Although these apps appear to cater to different user groups, they all operate in a similar manner, indicating the wide reach of this CapraRAT campaign.

The Latest Campaign Demonstrates Deceptive Behavior

Upon downloading any of these apps, the attack commences. During installation, the app requests intrusive permissions from users, including access to SMS, contacts, GPS location, storage read/write access, camera, audio recording, screen recording, call history, call-making permission, and network state management.

Many of these permissions are unnecessary for a gaming or video app, which should raise red flags for users. However, most users do not pay attention to individual app permissions, making them vulnerable to such threats.

In addition to these permissions, the new malware variant utilizes a WebView feature to open links to legitimate sites in order to deceive users. Furthermore, the malware now functions more as spyware rather than a backdoor (unlike previous campaigns), as it omits permissions for installing packages or authenticating accounts. This deceptive behavior has the potential to deceive even the most cautious users, remaining undetected for extended periods.

CapraRAT is a well-known Android spyware linked to a suspected Pakistani state-actor group, Transparent Tribe (also known as APT 36, Operation C-Major). This group, active since 2016, has conducted numerous malicious campaigns targeting users, particularly in India.

Share your thoughts in the comments section below.