APT36, also known as Transparent Tribe, has re-emerged with a sophisticated Android malware campaign involving two Remote Access Trojans (RATs): CapraRAT and Crimson RAT. The threat actor leverages social engineering techniques to distribute these RATs by impersonating the popular messaging application Viber. This impersonation is designed to deceive users into installing the spyware, which requests extensive permissions on Android devices. Once granted, the malware can record calls, read messages, track user location, and steal credentials, enabling comprehensive surveillance and espionage capabilities. The malicious infrastructure supporting this campaign is hosted on VPS services provided by Contabo, complicating takedown efforts due to the legitimate nature of the hosting provider. The campaign uses spearphishing via malicious links (MITRE ATT&CK T1566.001) and user execution (T1204) tactics to lure victims. Indicators of compromise include multiple file hashes associated with the malware samples, which can be used for detection and blocking. Although no known exploits in the wild have been reported, the persistent and targeted nature of this campaign highlights the evolving tactics of APT36 in exploiting mobile platforms for espionage and data theft. The impersonation of a trusted communication platform like Viber also risks eroding user trust in legitimate apps, potentially impacting broader communication security ecosystems.

For European organizations, this threat poses significant risks, especially for sectors handling sensitive information such as government, defense, critical infrastructure, and strategic private enterprises. The spyware’s ability to record calls, read messages, and track locations can lead to severe breaches of confidentiality and privacy. Credential theft facilitated by the malware can enable lateral movement within corporate networks, increasing the risk of broader compromise. The use of Viber impersonation is particularly concerning given Viber's popularity in Europe, increasing the likelihood of successful social engineering attacks. The abuse of VPS infrastructure for command and control complicates detection and mitigation efforts, potentially allowing prolonged undetected surveillance. Mobile endpoints, often less protected than traditional desktops, become critical attack vectors, underscoring the need for enhanced mobile security. The campaign could lead to data leakage, espionage, reputational damage, and erosion of trust in communication platforms, disrupting secure communications and compromising organizational data integrity across European entities.

1. Deploy Mobile Threat Defense (MTD) solutions capable of detecting and blocking malicious Android applications, particularly those impersonating legitimate apps like Viber. 2. Enforce strict application installation policies on corporate-managed devices, restricting installations to trusted sources such as the Google Play Store and verified enterprise app stores. 3. Conduct targeted user awareness training focused on recognizing social engineering tactics, especially spearphishing and malicious link risks. 4. Implement Mobile Device Management (MDM) solutions to monitor and restrict app permissions, preventing excessive permission grants that enable spyware functionalities. 5. Monitor network traffic for connections to known malicious VPS providers such as Contabo, and block or flag suspicious command and control communications. 6. Integrate threat intelligence feeds containing the provided malware hashes and indicators of compromise into security monitoring tools for proactive detection. 7. Enforce multi-factor authentication (MFA) across all critical systems to mitigate risks from credential theft. 8. Regularly audit and review app permissions on employee devices to identify and remove suspicious or unauthorized applications. 9. Collaborate with mobile security vendors to implement behavioral analytics capable of detecting RAT activities on Android devices. 10. Develop and regularly update incident response plans that include scenarios involving mobile device compromise to ensure rapid containment and remediation.