The NSO group raised security alarms this week, and once again, it’s the devastatingly powerful Pegasus malware that was planted in Jordan to spy on journalists and activists. Although it’s a high-profile case that led Apple to file a lawsuit against NSO Group, there’s a whole world of seemingly innocuous Android apps out there that collect sensitive data from the average person’s phone.
Security experts at ESET have spotted at least 12 Android apps, most of them disguised as chat apps, that actually install a Trojan on the phone and then steal details like call and message logs, remotely take control of the camera and even extract chat details from end-to-end encrypted platforms such as WhatsApp.
The applications in question are YohooTalk, TikTalk, Privee Talk, MeetMe, Nidus, GlowChat, Let’s Chat, Quick Chat, Rafaqat, Chit Chat, Hello Chat and Wave Chat. Needless to say, if you have any of these apps installed on your devices, delete them immediately.
In fact, six of these apps were available on the Google Play Store, raising the stakes at risk as users flock here, putting their faith in the security protocols put in place by Google. A Remote Access Trojan (RAT) called Vajra Spy is at the heart of this app’s spying activities.
A chat app that does serious damage
“It steals contacts, files, call logs and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls and take camera pictures,” ESET’s findings report says.
Namely, this will not be the first time that Vajra Spy raises the alarm. In 2022, Broadcom also listed it as a variant of the Remote Access Trojan (RAT) that uses Google Cloud Storage to collect data stolen from Android users. This malware is linked to the APT-Q-43 threat group, which is known to specifically target members of the Pakistani military establishment.
VajraSpy’s apparent goal is to collect information from the infected device and capture user data, such as text messages, WhatsApp and Signal conversations and call history, among others. These apps, most of which masqueraded as chat apps, used social engineering attacks aimed at romance to lure targets.
This is a recurring theme, especially given the goal of apps. In 2023, Scroll reported how spies across the border were using honey traps to lure Indian scientists and military personnel into extracting sensitive information using a combination of romance and blackmail. Even the FBI issued a warning about digital romance scams, while a White House staffer lost more than half a million dollars in one such trap.
In the latest VajraSpy installation case, apps were able to extract contact information, messages, list of installed apps, call logs and local files in various formats like .pdf, .doc, .jpeg, .mp3 and more. Those with advanced features require the use of a phone number, but they could also intercept messages on secure platforms such as WhatsApp and Signal.
In addition to recording real-time text exchanges, these apps can intercept notifications, record phone calls, record keystrokes, take pictures with the camera without the victim knowing, and take over the microphone to record audio. Once again, the latter is not surprising.
We recently reported how bad actors are abusing push notifications on phones and selling data to government agencies, while security experts told Digital Trends that the only sure way to stop this is to disable access to notifications for apps.
Editor’s recommendations