A Pakistan-linked cyber espionage group known as Transparent Tribe continues to unleash malware-laced Android apps as part of a sophisticated social engineering campaign, with malicious APKs targeting a broader range of individuals, including mobile gamers, weapons enthusiasts, and TikTok users.

Transparent Tribe, also known as APT 36 or Operation C-Major, has been active since at least 2016, primarily targeting Indian government and military personnel. The group heavily relies on social engineering tactics, such as spear-phishing and watering hole attacks, to distribute various Windows and Android spyware.

The latest campaign, dubbed CapraTube, follows a similar operation observed in September 2023. During that campaign, the group used weaponized Android apps disguised as legitimate applications like YouTube to distribute CapraRAT, a modified version of AndroRAT spyware capable of capturing a wide range of sensitive data.

Unlike its predecessors, the current campaign's app, named Crazy Games, appears non-malicious as it lacks several critical CapraRAT permissions such as sending SMS, making calls, accessing contacts, or recording audio and video.

Previously, the CapraTube campaign featured an APK called Piya Sharma, likely used in a romance-themed social engineering pretext and the campaign continues this trend with an app named Sexy Videos. Unlike earlier versions, which simply launched YouTube without a specific query, the latest apps are preloaded with queries related to their themes.

For example, the TikTok app launches YouTube with the search query “Tik Toks,” while the Weapons app directs users to a YouTube channel reviewing classic arms, boasting 2.7 million subscribers.

Upon launching these apps, users are prompted to grant several risky permissions, including access to GPS location, manage network state, read and send SMS, read contacts, record audio and screen, and take screenshots, storage read and write access, use of the camera, view call history and make calls.

A significant change in this campaign is the compatibility of the malicious APKs. The latest versions of CapraRAT now reference Android’s Oreo version (Android 8.0), released in 2017, whereas previous versions relied on the older Lollipop version (Android 5.1) from 2015. This update makes the malware compatible with a wider range of modern Android devices, SentinelLabs noted.