February 2, 2024 at 10:44AM
The Indian APT group Patchwork used six Android espionage applications on Google Play, masquerading as messaging and news services, to distribute the VajraSpy remote access Trojan. ESET researchers found the RAT intercepts calls, messages, extracts WhatsApp and Signal messages, records calls, and takes pictures. The campaign primarily targeted Pakistani users with romance scams. The apps have been removed from the Play store.
Based on the meeting notes, it has been reported that the Indian APT group Patchwork has been found abusing Google Play to distribute six different Android espionage applications disguised as legitimate messaging and news services. The applications contain a newly discovered remote access Trojan (RAT) called VajraSpy, which intercepts calls, SMS messages, files, contacts, and more, and is capable of extracting WhatsApp and Signal messages, recording phone calls, and taking camera pictures. These applications were downloaded from the Google Play store over 1,400 times, and an additional six were found in third-party app stores.
The campaign primarily targeted Pakistani users, as indicated by various factors such as the use of a popular Pakistani cricket player’s name as the developer name, the default selection of the Pakistan country code in the apps, and the compromised devices being located in Pakistan. The cybercriminals used the promise of love in targeted attacks, likely through romance scams, to entice victims into downloading the malicious apps.
ESET has reported the apps to Google, resulting in their removal from the Play store.