The initiative of the hacker group Transparent Tribe seeks to expand its operations and infect popular mobile devices.
Kaspersky researchers released their findings related to a new spyware app for Android masked in adult content and official applications about Covid-19
The topic of the pandemic has become a hot topic for threat actors launching social engineering attacks. This was the technique that Transparent Tribe, a threat agent tracked by Kaspersky for more than four years, began adopting in their campaigns.
During their investigation on Transparent Tribe, specialists found a new Android implant used by this group to spy on mobile devices and distributed in India as Fake COVID-19 porn apps and tracking apps.
The connection between the group and these two applications could be made thanks to the related domains that the agent used to host malicious files used in different campaigns.
Both apps, once downloaded, try install another file Android package packet – a modified version of the AhMyth Android Remote Access Tool (RAT) -, a computer virus (malware) open source downloadable from GitHub, and was created by adding a malicious payload inside other legitimate applications.
The modified version of the malware is different in functionality from the standard version. It includes new features that were added by attackers to improve data exfiltration, but it lacks some basic features, such as stealing photos from the camera.
The application is capable of downloading new applications to the phone, accessing SMS messages, microphone and call logs, tracking the location of the device, and listing and uploading files to an external server from the phone.
“The new findings underscore the efforts of Transparent Tribe members to add new tools that further expand their operations and reach their victims through different attack vectors, now including mobile devices.”
“We see that the agent is constantly working to improve and modify the tools it uses. To stay protected against these threats, users must be more careful than ever when evaluating the sources from which they download content and make sure that their devices are protected.” commented Giampaolo Dedola, senior security researcher at Kaspersky.