Skip to main content

Woburn, MA – August 26, 2020Kaspersky researchers are sharing findings about a new Android spyware application distributed by APT group, Transparent Tribe, being disseminated in India under the guise of adult content and official COVID-19 applications. This new discovery reflects the group’s evolution towards extending their operations and infecting mobile devices.

New findings show that Transparent Tribe has been actively working on improving its toolset and expanding its reach to include threats to mobile devices. During a previous investigation into Transparent Tribe, Kaspersky was able to find a new Android implant used by the threat actor to spy on mobile devices in attacks, which was distributed in India as porn-related and fake national COVID-19 tracking apps. The connection between the group and these applications was made due to the related domains that the actor used to host malicious files for different campaigns.

The first application is a modified version of a simple open-source video player for Android, which when installed, showcases an adult video as a distraction. The second infected application is called “Aarogya Setu,” similar in name to the COVID-19 tracking mobile application developed by the Government of India’s National Informatics Centre derived from the Ministry of Electronics and Information Technology.

Once downloaded, both applications try to install another Android package file, a modified version of the AhMyth Android Remote Access Tool (RAT) which is an open source malware downloadable from GitHub, built by binding a malicious payload inside other legitimate applications.

The modified version of the malware is different in functionality from the standard version. It includes new features added by the attackers to improve data exfiltration, while some core features such as stealing pictures from the camera, are missing. The application is able to download new applications to the phone, access SMS messages, the microphone, call logs, track the device’s location and enumerate and upload files to an external server from the phone.

“These new findings underline the efforts of the Transparent Tribe members to add new tools that expand their operations even further and reach their victims via different attack vectors, which now include mobile devices,” comments Giampaolo Dedola, senior security researcher at Kaspersky’s Global Research and Analysis Team. “We also see that the actor is steadily working on improving and modifying the tools they use. To stay protected from such threats, users need to be more careful than ever in assessing the sources they download content from and make sure that their devices are secure. This is especially relevant to those who know that they might become a target of an APT attack.”

Detailed information on Indicators of Compromise related to this group, including file hashes and C2 servers, can be accessed on the Kaspersky Threat Intelligence Portal.

For further details on the Transparent Tribe-related findings, see the full report on Securelist.

Learn more about this APT group's activity in the upcoming GReAT Ideas webinar. Powered by SAS: advancing on new fronts – tech, mercenaries and more, which will take place on August 26 at 2pm GMT. Register for free here:

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

Media Contact:

Cassandra Faro

Transparent Tribe’s new Android spyware distributed under the guise of popular apps

Kaspersky Logo