APT 36 Targeting Indian Government Officials via Spyware
Cyble Research Labs has come across an article wherein security researchers have mentioned a new Android malware named capraRAT. This malware is used by an Advanced Persistent Threat (APT) group called APT36, a.k.a Transparent Tribe, which has been observed targeting the Indian Government and its Defence personnel.
APT36, also known as ProjectM, Copper Fieldstone, Earth Karkaddan, is a Pakistan-based Threat Actors (TA) group. In the past, the APT36 group has launched a fake version of the Aarogya Setu Application for malicious purposes. Aarogya Setu is an application developed by the Indian Government to track COVID-19 cases.
Our analysis indicates that upon successful execution, this malicious application can steal sensitive data such as contacts, call logs, SMSs, Location, take screenshots, record calls, and microphone audio, send SMSs, etc., from the victims’ devices.
Technical Analysis
APK Metadata Information
- App Name: Android Services
- Package Name: com.example.appcode.appcode
- SHA256 Hash: d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42
Figure 1 shows the metadata information of the application.
The below figure shows the application icon and name displayed on the Android device.
Upon opening the application, the malware hides its icon from the Android device’s screen and continuously communicates with the Command and Control (C&C) server hxxp://android.viral91[.]xyz/admin/webservices.
We observed the similar domain hxxp://viral91[.]xyz had been used by Crimson RAT to target Windows machines. The TA behind Crimson RAT is also from APT36, which leads us to believe the same TAs are likely behind capraRAT.
Manifest Description
capraRAT requests the user for 21 different permissions, of which it abuses 12 permissions which are listed below.
| Permissions | Description |
| READ_SMS | Access SMSs from the victim’s device. |
| RECEIVE_SMS | Intercept SMSs received on the victim’s device |
| READ_CALL_LOG | Access Call Logs |
| READ_CONTACTS | Access phone contacts. |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of the phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device. |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which the attackers can misuse. |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi. |
| ACCESS_FINE_LOCATION | The app allows the device’s precise location using the Global Positioning System (GPS). |
| SEND_SMS | Allows an application to send SMS messages. |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface to confirm the call. |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the device’s external storage. |
| PROCESS_OUTGOING_CALLS | Allows the app to process outgoing calls and modify the dialing number. |
We observed that the defined launcher activity in the malicious app’s manifest file loads the application’s first screen, as shown below.
Source Code Review
Our static analysis indicated that the malware steals sensitive data such as Contacts, SMSs, Call logs, and location. Besides recording calls and microphone audio, the malware also deletes files, sends SMSs, makes calls, takes pictures from the camera, etc., based on the commands received from the C&C server.
The method hideApp() showcases the code used by the malware to hide its icon from the device screen, as shown in Figure 5.
The listContacts() method has been used to access the contacts data such as phone numbers and emails from the victim’s device, as shown below.
Through the listSMS() method, we identified that the malware collects SMSs from the device, as shown in the below figure.
The method listCallLog() depicts the malware’s ability to collect Call logs data from the device. Refer to Figure 8.
The code snippet shown in the below image depicts the methods getLocByGPS()and getLocByNetwork(), which are used to collect device location from both the GPS and the connected network.
The image below highlights the malware code that takes screenshots of the device’s screen and sends them to the C&C server based on the command received from the TA.
The image below shows the malware code to collect the device’s details such as phone number, IMEI, country code, operator details, etc.
The malware also captures the pictures from the device’s front and back camera without the user’s knowledge.
The method callRecording() shown in the below image depicts the malware’s ability to record calls.
The method micRecording() shown in the below image is used by the malware to record microphone audio from the infected device.
The sendSMS() method can be used to send text messages. The TA’s C&C will provide details such as the recipient’s mobile number and message content.
The below code snippet demonstrates the method gaveCall(), which can be used to make calls on any number provided by TA’s C&C.
The method updateApp() can be used to update the capraRAT malware.
The malware communicates with the malicious C&C server to receive the commands and sends sensitive information in response.
We have listed the commands used by the TAs to control the infected device:
| Command | Description |
| smslogs | Get SMS data |
| smsstop | Unregister SMS Service |
| updateapp | Update the Malware App |
| capscreen | Take Screenshots |
| gavecall | Process Outgoing Call |
| recordcal | Call Record |
| recordmic | Mic Record |
| deleteFile | Delete Files |
| sendsms | Send SMS |
Conclusion
APT36 has been active since 2013 and uses various sophisticated malware in its attacks. capraRAT is one such malicious Android application used by the group which can perform Remote Access Trojan activities with the potential to steal Indian Government personnel’s sensitive data, including contacts, call logs, SMSs, Location, audio recordings, etc.
Given the sensitive nature of the data being accessed and the APT group suspected to be behind it, capraRAT could have severe national security implications for the Indian Diplomatic and Defense infrastructure.
TAs constantly adapt their methods to avoid detection and find new ways to target users through increasingly sophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into installing them. This situation makes it imperative for users to install applications only after verifying their authenticity. Apps should only be installed exclusively via the official Google Play Store and other trusted portals to avoid such attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and your device OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Execution | T1575 | Native Code |
| Collection | T1433 | Access Call Log |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1432 | Access Contact List |
| Collection | T1429 | Capture Audio |
| Collection | T1512 | Capture Camera |
| Collection | T1533 | Data from Local System |
| Collection | T1430 | Location Tracking |
| Command and Control | T1436 | Commonly Used Port |
Indicators Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42 | SHA256 | capraRAT APK |
| hxxp://android.viral91[.]xyz/admin/webservices | URL | C&C |
