Security experts issue warning over new spyware variant targeting Android users

Spyware concept image showing a digitized trojan horse pictured alongside binary code.
(Image credit: Getty Images)

Security researchers have issued a warning over four new Android spyware apps that are being harnessed to target users globally. 

Known as ‘CapraRAT’, this Android-based remote access trojan embeds spyware within curated video browsing applications, and has been expanded to target mobile gamers, weapons enthusiasts, and social media users, according to SentinelLabs.

The group behind the campaign, known as Transparent Tribe, has been active since at least 2016 and is known for targeting military and diplomatic personnel in both India and Pakistan, more recently expanding to the Indian education sector.

SentinelLabs said the group has been using CapraRAT since 2018 for surveillance purposes ahead of spear phishing attacks, but has since observed a number of updates.

Researchers identified three CapraRAT Android Package Kits (APK) in 2023, and said the overall functionality of its new discoveries remains the same, with the underlying code updated to better suit modern Android devices.

"The most significant changes between this campaign and the September 2023 campaign are app-to-app compatibility. The newest CapraRAT APKs we identified now contain references to Android's Oreo version (Android 8.0), which was released in 2017," the firm said in an advisory.

"Previous versions relied on the device running Lollipop (Android 5.1), which was released in 2015 and less likely to be compatible with modern Android devices."

The new versions of CapraRAT each use WebView to launch a URL to either YouTube or a mobile gaming site, There's no indication that an app with the same name, Crazy Games, is weaponized, researchers noted.

"The Crazy Games app launches WebView to load, a site containing in-browser mini games. This particularly resource-intensive site did not work well on older versions of Android during our testing," SentinelLabs said.

How does CapraRAT spyware infect devices?

When the app first launches, the user is prompted to grant several risky permissions, including access GPS location, manage network state, read and send SMS, read contacts, record audio and screen activity, and take screenshots.

However, other permissions appear to have been dropped, indicating that the app developers may be focused on making CapraRAT a surveillance tool, rather than a fully featured backdoor.=

"The decision to move to newer versions of the Android OS are logical, and likely align with the group’s sustained targeting of individuals in the Indian government or military space, who are unlikely to use devices running older versions of Android, such as Lollipop which was released eight years ago," SentinelLabs said.


Chicanes and tunnels: The race to securely connect remote users

(Image credit: Cloudflare)

Securely connect remote users

"The APK theme updates show the group continues to lean into its social engineering prowess to gain a wider audience of targets who would be interested in the new app lures, such as mobile gamers or weapons enthusiasts."

To avoid compromise researchers urged users to always evaluate the permissions requested by an app to determine whether they are actually necessary.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.