The Indian APT group Patchwork, known for its targeted spear phishing cyberattacks against Pakistanis, has been caught abusing Google Play to distribute six different Android espionage applications posing as legit messaging and news services. In reality, they come loaded with a newly discovered remote access Trojan (RAT) called VajraSpy.
Researchers from ESET who uncovered the campaign found that VjjaraSpy RAT intercepts calls, SMS messages, files, contacts, and more, according to the security firm’s Patchwork report this week. They can also extract WhatsApp and Signal messages, record phone calls, and take camera pictures. In total, the researchers found the RAT-tainted applications were downloaded from the Google Play store more than 1,400 times.
In addition to the six Google Play apps being used to deliver VajraSpy, the ESET team found an additional six being distributed in third-party/unofficial app stores. The phony apps go by names that include Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafagat, and Faraqat.
“Based on several indicators, the campaign targeted mostly Pakistani users: Rafaqat رفاقت, one of the malicious apps, used the name of a popular Pakistani cricket player as the developer name on Google Play; the apps that requested a phone number upon account creation have the Pakistan country code selected by default; and many of the compromised devices discovered through the security flaw were located in Pakistan,” according to the report.
To lure victims into downloading the apps, the cybercriminals used the promise of love in targeted attacks, the report found.
“To entice their victims, the threat actors likely used targeted honey-trap romance scams, initially contacting the victims on another platform and then convincing them to switch to a trojanized chat application,” ESET’s report added.
ESET reported the apps to Google and they have been removed from the Play store.