ESET researchers recently uncovered a concerning discovery involving a malicious Android remote access trojan (RAT) named VajraSpy. This RAT was found hidden within 12 different applications, with six of them even being available for download on Google Play between April 1, 2021, and September 10, 2023.
These malicious apps, disguised as innocent messaging or news apps, have since been removed from Google Play but can still be accessed through third-party app stores. Once installed, VajraSpy allows cybercriminals to steal personal data, including contacts, messages, and even record phone calls with the appropriate permissions.
The campaign behind this malware has been linked to the Patchwork APT group, known for targeting users primarily in Pakistan. Interestingly, the group’s activities were previously exposed when they accidentally infected their own infrastructure with another RAT called ‘Ragnatela,’ providing insight into their operations.
ESET researcher Lukas Stefanko identified the presence of VajraSpy in these 12 malicious apps, with six of them having been downloaded approximately 1,400 times from Google Play. These apps posed as legitimate messaging platforms like “Rafaqat رفاقت” and “Privee Talk.”
Outside of Google Play, these malicious apps adopted names such as “Hello Chat” and “Wave Chat” to lure unsuspecting victims, particularly through romance scams. Most victims were located in Pakistan and India, where they were tricked into installing these fake messaging apps.
VajraSpy functions as both spyware and a RAT, enabling various espionage activities such as data theft, interception of encrypted messages, call recording, and even activation of the device’s camera for surveillance purposes. Its modular design allows it to adapt and evolve based on the permissions granted on the infected device.
ESET advises users to avoid downloading obscure chat apps from unknown sources, as this remains a common tactic used by cybercriminals to compromise devices. While Google Play has implemented stricter policies to detect malware, threat actors continue to find ways to infiltrate the platform, posing risks to millions of users worldwide.