A malicious Android remote access trojan (RAT) named VajraSpy has been discovered in 12 applications, six of which were available on Google Play from April 1, 2021, through September 10, 2023. Disguised as messaging or news apps, these malicious apps, now removed from Google Play, can steal personal data, including contacts and messages, and even record phone calls based on granted permissions. The Patchwork APT group, active since at least late 2015 and primarily targeting users in Pakistan, is behind this campaign, according to ESET researchers.
In addition to the six apps found on Google Play, the other six, all posing as messaging apps, were available on third-party app stores. Third-party app stores don’t report download counts, making it challenging to determine the number of installations. ESET’s telemetry analysis indicates that most victims are located in Pakistan and India, and users are likely tricked into installing these fake messaging apps through romance scams.
VajraSpy, a modular Android spyware and RAT, boasts capabilities such as gathering and transmitting personal data, intercepting messages from encrypted communication apps, recording phone calls, activating the device’s camera for surveillance, and searching and exfiltrating various files. Its modular nature allows it to adapt its spying capabilities based on the permissions it obtains on an infected device. ESET advises users to avoid downloading obscure chat apps recommended by unknown individuals, emphasizing that cybercriminals often use this tactic to infiltrate devices. Despite new Google Play policies, threat actors continue to sneak malicious apps onto the platform, impacting user security and privacy.
