Kaspersky researchers are sharing findings about a new Android spyware application distributed by APT group, Transparent Tribe, being disseminated in India under the guise of adult content and official COVID-19 applications. This new discovery reflects the group’s evolution towards extending their operations and infecting mobile devices.
New findings show that Transparent Tribe has been actively working on improving its toolset and expanding its reach to include threats to mobile devices. During a previous investigation into Transparent Tribe, Kaspersky was able to find a new Android implant used by the threat actor to spy on mobile devices in attacks, which was distributed in India as porn-related and fake national COVID-19 tracking apps. The connection between the group and these applications was made due to the related domains that the actor used to host malicious files for different campaigns.
The first application is a modified version of a simple open-source video player for Android, which when installed, showcases an adult video as a distraction. The second infected application is called “Aarogya Setu,” similar in name to the COVID-19 tracking mobile application developed by the Government of India’s National Informatics Centre derived from the Ministry of Electronics and Information Technology.
Once downloaded, both applications try to install another Android package file, a modified version of the AhMyth Android Remote Access Tool (RAT) which is an open source malware downloadable from GitHub, built by binding a malicious payload inside other legitimate applications.
The modified version of the malware is different in functionality from the standard version. It includes new features added by the attackers to improve data exfiltration, while some core features such as stealing pictures from the camera, are missing. The application is able to download new applications to the phone, access SMS messages, the microphone, call logs, track the device’s location and enumerate and upload files to an external server from the phone.
“These new findings underline the efforts of Transparent Tribe members to add new tools that expand their operations even further and reach their victims via different attack vectors, which now include mobile devices,” comments Giampaolo Dedola, senior security researcher at Kaspersky’s Global Research and Analysis Team. “We also see that the actor is steadily working on improving and modifying the tools they use. To stay protected from such threats, users need to be more careful than ever in assessing the sources they download content from and make sure that their devices are secure. This is especially relevant to those who know that they might become a target of an APT attack.”