Android users have become the target of a social engineering attack that aims to steal sensitive data on their smartphones and even monitor them.
A report from cybersecurity researchers at ESET recently claims to have found twelve malware-laden Android apps containing malicious code that were used in this campaign.
ESET says the attackers most likely created fake social media accounts and presented themselves as attractive people interested in the victims. After a bit of back and forth, they suggest moving the conversation to an Android chat app and offering one of the malicious apps.
VajraSpy and Patchwork
Of the twelve apps used in this campaign, most masqueraded as chat apps, of which only one was a news app. They are called Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafaqat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat and Wave Chat. Six were even available on the Google Play Store at the time.
Although these apps appear to work as intended, they were running code from a Remote Access Trojan (RAT) known as VajraSpy in the background. This RAT was developed by an Advanced Persistent Threat (APT) group known as Patchwork, which typically targets Pakistanis.
VajraSpy was described as having “a range of spying functionalities that can be extended based on the permissions granted to the app included with its code.”
VajraSpy can steal contact lists, files, call logs, and even text messages, among other things. Some variants can exfiltrate WhatsApp and Signal messages, record phone calls and take photos using the Android device’s camera.
ESET researchers believe that at least 1,400 people were targeted and that they were able to geolocate 148 compromised devices in Pakistan and India. Google has since removed the apps from the Play Store, but they can still be downloaded from third-party stores and malicious websites. Furthermore, the users who downloaded them will not be safe until they uninstall the apps from their devices and clean up their phones completely.