Indian and Pakistani Android Users Targeted in Active Transparent Tribe Campaign Using Romance Scam

Beware of the Transparent Tribe campaign targeting Android users in India and Pakistan. ESET researchers have discovered a honey-trap romance scam used to lure victims into downloading trojanized messaging apps containing the CapraRAT backdoor. Learn how this cyberespionage group is using these apps to steal sensitive information and how to protect yourself from falling victim to this campaign.

ESET researchers have uncovered an alarming development in the world of cyber espionage. An active Transparent Tribe campaign, believed to be politically or militarily motivated, has been identified targeting Android users in India and Pakistan. Victims of the campaign were likely enticed through a honey-trap romance scam, with the attackers luring them into installing supposedly secure apps that were, in fact, trojanized versions containing CapraRAT backdoors. This campaign, likely ongoing since July 2022, has been distributing these backdoors through two different websites, which it presents as secure messaging apps.

You might also like:

The CapraRAT backdoor, associated with Transparent Tribe, has the ability to capture screenshots, photos, and recordings of phone calls and surrounding audio. It can exfiltrate any sensitive information and is capable of downloading files, making calls, and sending SMS messages, all while remaining undetected. This narrowly targeted campaign is not believed to have been available on Google Play.

The Transparent Tribe campaign was identified when ESET researchers analyzed a sample posted on Twitter, which matched Snort rules for both CrimsonRAT and AndroRAT. This Windows malware, known to be used only by Transparent Tribe, has now expanded to the Android platform. The campaign is believed to have used a modified version of the open-source RAT, AndroRAT, which has been named CapraRAT by Trend Micro in its research.

The malicious MeetUp app was found to be available at meetup-chat[.]com, while the MeetsApp was believed to have been available at meetsapp[.]org. Although neither app would have been automatically installed, the victims were likely carefully targeted and lured through romance schemes, with the attackers initiating contact through other messaging platforms before persuading the victims to install the allegedly secure chat app from one of the malicious distribution websites.

The Transparent Tribe campaign remains active and poses a significant threat to users’ sensitive information. It uses two messaging applications as a cover to distribute its Android CapraRAT backdoor, while relying on romance scam baits to lure victims.

The attackers continue to communicate with the victims using the malicious app, keeping them on the platform and making their devices vulnerable to further attacks. It is crucial to remain vigilant and avoid downloading apps from unverified sources, especially those received through unsolicited messages or emails.

Share This Message