An ongoing cyber espionage campaign has begun targeting the Android devices of Indian and Pakistani nationals with a backdoor called “CapraRAT”. The campaign has been linked to the APT group Transparent Tribe, and the current theory is that attackers are using romance scams to lure victims into downloading a malware-laced messenger app from a third-party website. This malware is a modified version of AndroRAT that runs alongside the messenger app. This malware lets attackers record phone calls, make calls, send SMS messages, and download additional files unbeknownst to the victim. This campaign has infected as many as 150 victims that likely have an association with military or political groups. The attack uses a malicious APK file that does not seem to have been uploaded to the Google Play Store.
Espionage groups using social engineering tactics on government and military officials are nothing new. This campaign demonstrates the risks associated with downloading apps outside of app stores that are maintained by a trusted source. Furthermore, this highlights the importance of segmenting personal and professional devices. Compromising a personal phone, while impactful, could have a greatly reduced impact if that device doesn’t contain confidential information that an attacker could be seeking out.