Article Details

More Android apps riddled with malware spotted on Google Play. An Android remote access trojan (RAT) known as VajraSpy was found in 12 malicious applications, six of which were available on Google Play from April 1, 2021, through September 10, 2023. The malicious apps, which have now been removed from Google Play but remain available on third-party app stores, are disguised as messaging or news apps. Those installing the apps became infected with VajraSpy, allowing the malware to steal personal data, including contacts and messages, and depending on the granted permissions, even to record their phone calls. ESET researchers who uncovered the campaign report that its operators are the Patchwork APT group, which has been active since at least late 2015, primarily targeting users in Pakistan. In 2022, the threat actor unintentionally revealed details of their own campaign when they accidentally infected their infrastructure with the 'Ragnatela' RAT, a tool they were employing at the time. This misstep provided Malwarebytes with a window into the Patchwork's operations. The link between VajraSpy and the activity cluster that ESET identifies as Patchwork was first established by QiAnXin in 2022 (attributing to APT-Q-43), followed by Meta in March 2023, and Qihoo 360 in November 2023 (attributing to APT-C-52). Android espionage ESET researcher Lukas Stefanko found 12 malicious Android applications containing the same VajraSpy RAT code, six of which were uploaded on Google Play, where they were downloaded roughly 1,400 times. The apps that were available on Google Play are: VajraSpy apps available outside Google Play are all bogus messaging apps: Third-party app stores do not report download counts, so the number of people who have installed them through these platforms is unknown. ESET's telemetry analysis indicates that most victims are located in Pakistan and India and are most likely tricked into installing the fake messaging apps via a romance scam. VajraSpy is a spyware and RAT that supports various espionage functionalities that mostly revolve around data theft. Its capabilities are summarized as follows: The power of VajraSpy lies in its modular nature and adaptability, while the extent of its spying capabilities is determined by the level of permissions it obtains on an infected device. ESET concludes by advising that users should refrain from downloading obscure chat apps recommended by people they don't know, as this is a common and longstanding tactic cybercriminals employ to infiltrate devices. While Google Play introduces new policies that make it harder for malware to hide in apps, threat actors continue to sneak their malicious apps onto the platform. Previous attacks performed much better than this VajraSpy spyware campaign, such as an October adware campaign amassing 2 million installs. More recently, it was discovered that the SpyLoan information-stealing malware was downloaded 12 million times from Google Play in 2023.