Mobile YouTube users, especially those living in Pakistan and India, need to be very careful when downloading the famous video application. Because experts have uncovered at least three fake YouTube applications that are actually remote access trojans (RATs) and go after data.
Cybersecurity researchers from SentinelLabs recently observed that a threat actor known as Transparent Tribe (APT36) was likely using social channels and fake landing pages to distribute applications that appear to be YouTube but are actually malware known as CapraRAT. In a statement to the media, Google confirmed that the apps are not available on the official Google Play Store.
This remote access trojan can steal all kinds of sensitive data (such as SMS messages, call logs, GPS data) from the endpoint, as well as record audio and video and send it to its operators. It can also take screenshots, override system settings, and modify files in the device’s file system. All this is enough to conduct successful identity theft campaigns, phishing attacks and social engineering attacks, among other things, not to mention outright data theft.
While two of the apps are simply called YouTube, the third is called Piya Sharma. This is the name of an Indian host and influencer and is most likely being used in romance-based scams. All apps request extensive permissions during installation, which should be enough of a warning sign for most people. If that wasn’t enough, the apps look more like a web browser than a native app and are missing some features found in the legitimate YouTube app.
SentinelLabs says APT36 is likely linked to the Pakistani government and targets Indian defense and government agencies, human rights activists, diplomats serving in the Kashmir region, and the like.
The group has been active since at least 2018 and was observed distributing CapraRAT apps disguised as dating services earlier this year. To make sure you don’t fall into this trap, always make sure you download apps only from official sources and be wary of the permissions apps request during installation.
38633
