- This Clear Tribe marketing campaign primarily targets Indian and Pakistani residents, presumably these with a navy or political background.
- It distributed the Android CapraRAT backdoor through trojanized safe messaging and calling apps branded as MeetsApp and MeetUp; the backdoor can exfiltrate any delicate data from its victims’ units.
- These trojanized apps had been obtainable to obtain from web sites posing as official distribution facilities. We consider a romance rip-off was used to lure targets to those web sites.
- Poor operational safety round these apps uncovered person PII, permitting us to geolocate 150 victims.
- CapraRAT was hosted on a site that resolved to an IP tackle beforehand utilized by Clear Tribe.
Marketing campaign overview
In addition to the inherent working chat performance of the unique authentic app, the trojanized variations embody malicious code that we now have recognized as that of the CapraRAT backdoor. Clear Tribe, also called APT36, is a cyberespionage group identified to make use of CapraRAT; we now have additionally seen comparable baits deployed in opposition to its targets prior to now. The backdoor is able to taking screenshots and images, recording cellphone calls and surrounding audio, and exfiltrating another delicate data. The backdoor can even obtain instructions to obtain recordsdata, make calls, and ship SMS messages. The marketing campaign is narrowly focused, and nothing suggests these apps had been ever obtainable on Google Play.