There are many applications that work in a similar way to YouTube and promise us new functions, special features or watch offline videos for free even without paying. But beware! because a group of hackers has used YouTube imitation apps to introduce malware into Android devices around the world.
The APT36 hacking group, also known as Transparent Tribe, has used several applications similar to YouTube to sneak a Trojan into the mobile phone of those who download them. It has done this by infecting phones with the CapraRAT remote access Trojan and taking advantage of the confusion or trust of people who wanted a video app.
How malware works
How have they done it? As it is an imitation of the official YouTube app, it is necessary to install it using a third-party APK. Once the app is installed on the device, the Remote Access Trojan is downloaded. What malware allows on the victim’s mobile phone is to collect data. Among the options we find: Recording with the microphone and with the front and rear cameras, access to call logs, collection of SMS or multimedia content, initiate phone calls, block incoming SMS or send SMS, take screenshots, cancel settings of systems such as GPS or modify files on the phone. That is, it becomes powerful spy software that provides all kinds of information about what we do, what we see or what we say.
The campaign has been detected by the security company SentinelLabs in a notice to organizations in India and Pakistan to avoid YouTube apps that they have seen on third-party sites and not from the official store. But it is not the only or the first time that this group of hackers acts. APT36 is already a known group in Pakistan with a similar procedure: infecting Android applications to attack all types of users and steal their information.
How to avoid this malware
Infected applications are not within Google Play so you just have to use official application stores to avoid possible problems. In this case, these were malicious APKs that have been distributed through other websites or secondary stores and not from the Google store. That is why it is especially important that we never download or download applications from any page without checking their reliability or reading comments or searching first to see if it could be a problem.
Furthermore, once we have installed it (regardless of the source) we must distrust the permissions it asks for. And, of course, don’t give it to them. A video player application does not have to have permission to your phone’s camera or microphone or access data. In this case, become suspicious and do not accept.
Another important aspect is that we pay attention to all the details since many applications will pretend to be the original but the browser may change or the interface may be somewhat different. In this case, pay close attention because they replace the original but they are not exactly identical and this can help us detect it.
