Security researchers have uncovered a cyber-espionage campaign targeting mainly Indian and Pakistani victims with Android messaging apps containing backdoor malware.
ESET said weak OpSec allowed it to locate over 150 victims, some of whom also resided in Russia, Oman and Egypt.
It attributed the campaign to the Pakistan state-linked actor Transparent Tribe (APT36) due to the use of the CapraRAT backdoor and IP addresses spotted in previous campaigns from the group.
“The backdoor is capable of taking screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any other sensitive information,” ESET said.
“The backdoor can also receive commands to download files, make calls and send SMS messages. The campaign is narrowly targeted, and nothing suggests these apps were ever available on Google Play.”
CapraRAT was disguised as two legitimate-looking applications: so-called secure Android chat apps ‘MeetsApp’ and ‘MeetUp,’ which were distributed via malicious websites hosted by APT36.
“Considering that only a handful individuals were compromised, we believe that potential victims were highly targeted and lured using romance schemes, with Transparent Tribe operators most likely establishing first contact via another messaging platform,” ESET explained.
“After gaining the victims’ trust, they suggested moving to another – allegedly more secure – chat app that was available on one of the malicious distribution websites.”
The security vendor’s judgement is based on the fact that APT36 has previously used honey-trap romance scams to lure its victims. It added that victims are likely to be military or political officials.
The campaign was still live at the time of writing.