Transparent Tribe, transparent lives: New Android spyware distributed under the guise of popular apps
Kaspersky researchers have shared their findings about a new Android spyware application distributed by Transparent Tribe, a prolific APT group, in India under the guise of adult content and official COVID-19 applications.
This reflects the group’s move towards extending their operations and infecting mobile devices. This, and other findings, were released in the second part of an investigation into the threat actor.
The pandemic has become a well-abused subject by threat actors who launch social engineering threats and it continues to be relevant even now. Transparent Tribe, a threat actor that has been tracked by Kaspersky for over four years, has also adopted this go-to topic in their campaigns.
Recent findings show that the group has been actively working on improving its toolset and expanding its reach to include threats to mobile devices. During the previous investigation into Transparent Tribe, Kaspersky was able to find a new Android implant used by the threat actor to spy on mobile devices in attacks, which was distributed in India as porn-related and fake national COVID-19 tracking apps. The connection between the group and the two applications was made thanks to the related domains that the actor used to host malicious files for different campaigns.
The first application is a modified version of a simple open-source video player for Android, which, when being installed, showcases an adult video as a distraction. The second infected application is named “Aarogya Setu” – similar to the COVID-19 tracking mobile application developed by the Government of India’s National Informatics Centre which comes under the Ministry of Electronics and Information Technology.
Both applications, once downloaded, try to install another Android package file – a modified version of the AhMyth Android Remote Access Tool (RAT) – an open-source malware downloadable from GitHub, which was built by binding a malicious payload inside other legitimate applications.
The modified version of the malware is different in functionality from the standard one. It includes new features added by the attackers to improve data exfiltration, while some core features, such as stealing pictures from the camera, are missing. The application is able to download new applications to the phone, access SMS messages, the microphone, call logs, track the device’s location and enumerate and upload files to an external server from the phone.
“The new findings underline the efforts of the Transparent Tribe members to add new tools that expand their operations even further and reach their victims via different attack vectors, which now include mobile devices. We also see that the actor is steadily working on improving and modifying the tools they use. To stay protected from such threats, users need to be more careful than ever in assessing the sources they download content from and make sure that their devices are secure. This is especially relevant to those who know that they might become a target of an APT attack”, comments Giampaolo Dedola, a senior security researcher at Kaspersky’s Global Research and Analysis Team.
To stay safe from the threat, Kaspersky recommends taking the following security measures:
- Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal is a single point of access for the company’s TI, providing cyberattack data and insights gathered by Kaspersky over more than 20 years.
- Ensure your endpoint security solution provides protection for mobile devices. Kaspersky Endpoint Security for Business ensures protection from mobile malware and ensures only trusted applications can be used on corporate devices.
- Ensure that your employees know the mobile device security basics by providing a security awareness training course that covers such topics. For example, Kaspersky Adaptive Online Training can help.
For further details on the Transparent Tribe-related findings, see the full report on Securelist.