Android users have become targets of social engineering attacks aimed at stealing sensitive data stored on their smartphones and even tracking them.
A report by cybersecurity researchers at ESET claims that they recently found 12 malware-laden Android apps that carried malicious code and were used in this campaign.
ESET says that the attackers most likely created fake accounts on social networks and presented themselves as attractive people interested in victims. After some back and forth, they would suggest moving the conversation to an Android chat app and offer one of the malicious apps.
VajraSpy and Patchwork
Of the 12 apps used in this campaign, most pretended to be chat apps and only one was a news app. They are called Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafaqat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat and Wave Chat. Six of them were even available on the Google Play Store at the time.
Although these applications may appear to be working as they should, in the background they were executing a Remote Access Trojan (RAT) code known as VajraSpy. This WAR was developed by an Advanced Persistent Threat Group (APT) known as Patchwork, which generally targets Pakistanis.
VajraSpy is described as “a range of espionage functions that can be extended based on the permissions granted to the application in the code package.”
Among other things, VajraSpy can steal contact lists, files, call logs and even text messages. Some of the variants can exfiltrate WhatsApp and Signal messages, record phone calls and take photos with the Android device’s camera.
ESET researchers believe at least 1,400 people were targeted and were able to geolocate 148 compromised devices in Pakistan and India. Google has since removed the apps from the Play Store, but they are still available for download in third-party stores and on malicious websites. Furthermore, users who have downloaded them will not be safe until they remove the apps from their devices and clean their phones completely.