Copies of YouTube on Android are spreading across the Internet. These fraudulent versions, deployed by Pakistani hackers, are capable of taking control of a smartphone remotely. Once this is done, hackers can record audio files, take photos or take screenshots without your knowledge…
Computer security researchers at SentinelLabs discovered three fake YouTube apps on the Web. Offered via APK, these Android apps follow the YouTube interface to the letter. They impersonate the Google platform by appropriating the logo and most of the functionalities. However, these fraudulent versions have fewer features than the official YouTube. Good news, they have not invaded the Play Store.
In the application code, the researchers discovered CapraRAT. This is “RAT” (Remote Access Trojan) type malware, designed solely to take remote control of a computer system. In this case, the malware targets the Android operating system.
Also read: This fake Signal app distributed on the Play Store spied on discussions
A greedy and versatile spy malware
Once installed on the phone of its victims, CapraRAT will be able to seizea host of sensitive data and take control of a large part of the device’s functions. In particular, the virus will be able to listen to your conversations using the microphone, take photos with the front or back camera, vacuum up all messages, and take screenshots. All files are then transferred to remote servers. Without the user’s knowledge, the malware can also send text messages, make phone calls or modify files in the system. With all these accesses, the virus can steal a mountain of data, such as banking details, passwords, intimate photos or even private keys linked to a digital wallet. In short, the damage is considerable.
To achieve its goals, the malware obviously starts by request multiple authorizations to the Internet user. Unsuspecting of a popular service like YouTube, the user risks complying without asking any questions. We always recommend that you think carefully before granting access, particularly to the microphone, to an application found on the web.
A campaign signed APT36
After investigation, SentinelLabs experts estimated that the operation was orchestrated by APT36, a hacker gang also known as the Transparent Tribe. Close to the Pakistani government, the gang generally targets government and military entities, primarily in India, with the aim of extracting sensitive information as discreetly as possible. It also targets human rights activists in Pakistan, with the tacit and to date unproven support of the authorities.
This is not the first time the gang has deployed CapraRAT through fake apps. Earlier this year, spy malware code was spotted inside fake dating apps, says a report from Eset. The APKs were offered on fraudulent websites, promoted on social networks, or through private messages. To fool the victims, the pirates did not hesitate to play the seduction card.