CapraRAT is a new Android remote access trojan that relays data from a target device back to the hackers

The malware is often disguised in fake government documents, honeytraps, and Covid-19 related information to lure victims. It can compromise several data points from the victim device, including access to its camera and microphone.

A hacker group known for targeting Indian military and diplomatic personnel has reportedly come up with new malware for targeting Android devices. Called CapraRAT, the new remote access trojan (RAT) is able to steal data points like location information, phone number and call history, unique identification number and more. It can even access the camera and microphone on an infected device to relay information back to the threat actors.

The new hacking tool has been identified by cybersecurity firm Trend Micro through data obtained from January 2020 to September 2021 by Trend Micro Smart Protection Network (SPN). In a report explaining the threat, the firm highlights that the CapraRAT has been spotted in use by APT36, a “politically motivated” advanced persistent threat (APT) group, which also goes by the names - Earth Karkaddan, Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe.

The report mentions that CapraRAT takes its inspiration from the Crimson RAT, a malware that was most often used by APT36 for targeting Windows devices. Both the malware carry “clear similarities in design,” including function names, commands, and capabilities between the tools.

The malware, just like the Crimson RAT, relies on malicious phishing links to target users and their devices. Trend Micro notes that CapraRAT also shares similarities, and thus might be a modified version of an open-source RAT called AndroRAT.

Trend Micro says that it has been observing CapraRAT samples “since 2017,” with research into it suggesting that the Android trojan was first used that year. Like the Crimson RAT, the Android trojan uses subdomains and phishing documents to deceive its targets into downloading malware. This deception often takes the form of fake government documents, honeytraps, and recently, coronavirus-related information.

Once the malicious app is downloaded, it asks for system permissions just like any other app, except these permissions tend to compromise the targeted device to the malware. Once it gets the necessary permissions, the malware can access the victim’s phone number and other contact information, unique identification number, location information, phone call history as well as microphone and record audio clips. It can even launch other apps’ installation packages and even open the camera of the device.

The Trend Micro report states that the RAT even has a “persistence mechanism” that tends to keep the malicious app active at all times. “It checks whether the service is still running every minute, and if it is not, the service will be launched again,” the report mentions.

The cyber security firm shares some standard tips to avoid being a victim to a CapraRAT attack. It suggests users avoid emails and links from unknown sources, download and allow permissions only to apps from trusted sources and use “multi-layered mobile security solutions” which can protect against a range of online threats.