Android users have become the target of a social engineering attack aimed at stealing sensitive data located on their smartphones and even controlling them.
A report from ESET cybersecurity researchers claims to have recently found 12 malware-laden Android apps that carried malicious code and were used in this campaign.
ESET says the attackers most likely created fake social media accounts and presented themselves as attractive people interested in victims. After some back and forth, they would suggest moving the conversation to an Android chat app and offering one of the malicious apps.
VajraSpy and Patchwork
Of the 12 apps used in this campaign, most were intended to be chat apps, and only one was a news app. They are called Privee Talk, MeetMe, Let's Chat, Quick Chat, Rafaqat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat and Wave Chat. Even six of them were available on the Google Play Store at that time.
While these applications may appear to be working as intended, in the background they were executing code from a Remote Access Trojan (RAT) known as VajraSpy. This RAT was developed by an Advanced Persistent Threat (APT) group known as Patchwork, which generally targets Pakistanis.
VajraSpy was described as having “a range of spy functionality that can be extended based on the permissions granted to the application included with its code.”
Among other things, VajraSpy can steal contact lists, files, call logs, and even SMS messages. Some of the variants can filter WhatsApp and Signal messages, record phone calls, and take photos with the Android device's camera.
ESET researchers believe that at least 1,400 people were attacked and were able to geolocate 148 compromised devices in Pakistan and India. Google has since removed the apps from the Play Store, but they are still available for download on third-party stores and malicious websites. Additionally, users who downloaded them will not be safe until they remove the apps from their devices and clean their phones completely.
