Kaspersky researchers have shared their findings about a new Android spyware application distributed by Transparent Tribe, a prolific APT group, in India under the guise of adult content and official Covid-19 applications.
The application reflects the group’s move towards extending their operations and infecting mobile devices.
This, and other findings, were released in the second part of an investigation into the threat actor.
The pandemic has become a well-abused subject by threat actors who launch social engineering threats and it continues to be relevant even now. Transparent Tribe, a threat actor that has been tracked by Kaspersky for over four years, has also adopted this go-to topic in their campaigns.
Recent findings show that the group has been actively working on improving its toolset and expanding its reach to include threats to mobile devices.
During the previous investigation into Transparent Tribe, Kaspersky was able to find a new Android implant used by the threat actor to spy on mobile devices in attacks, which was distributed in India as porn-related and fake national Covid-19 tracking apps.
The connection between the group and the two applications was made thanks to the related domains that the actor used to host malicious files for different campaigns.
The first application is a modified version of a simple open-source video player for Android, which, when being installed, showcases an adult video as a distraction. The second infected application is named “Aarogya Setu” – similar to the Covid-19 tracking mobile application developed by the government of India’s National Informatics Centre which comes under the Ministry of Electronics and Information Technology.
Both applications, once downloaded, try to install another Android package file – a modified version of the AhMyth Android Remote Access Tool (RAT) – an open source malware downloadable from GitHub, which was built by binding a malicious payload inside other legitimate applications.
The modified version of the malware is different in functionality from the standard one. It includes new features added by the attackers to improve data exfiltration, while some core features, such as stealing pictures from the camera, are missing.
The application is able to download new applications to the phone, access SMS messages, the microphone, call logs, track the device’s location and enumerate and upload files to an external server from the phone.
“The new findings underline the efforts of the Transparent Tribe members to add new tools that expand their operations even further and reach their victims via different attack vectors, which now include mobile devices,” comments Giampaolo Dedola, senior security researcher at Kaspersky’s Global Research and Analysis Team. “We also see that the actor is steadily working on improving and modifying the tools they use.
“To stay protected from such threats, users need to be more careful than ever in assessing the sources they download content from and make sure that their devices are secure. This is especially relevant to those who know that they might become a target of an APT attack.”