ESET researchers have recently made an alarming discovery, identifying a series of twelve Android espionage apps that all contain the same malicious code. Of these twelve apps, six were found on Google Play, a popular app distribution platform, while the other six were discovered on VirusTotal, a widely used virus and malware scanning service. All of these potentially harmful applications were advertised as messaging tools, with the exception of one that posed as a news app. However, they all covertly execute remote access trojan (RAT) code known as VajraSpy, which is used for targeted espionage by the Patchwork APT group.
VajraSpy, the RAT code embedded in these apps, has a range of espionage functionalities that can gather sensitive information from the targeted devices. It is capable of stealing contacts, files, call logs, and SMS messages. Even more concerning, some implementations of VajraSpy can extract messages from popular messaging apps like WhatsApp and Signal, record phone calls, and take pictures using the device’s camera.
The discovery of these malicious apps has raised concerns about the potential impact on users, particularly in Pakistan, where the Patchwork APT campaign is believed to have targeted individuals. In instances where the apps were found on Google Play, they had collectively reached over 1,400 installations before being removed from the platform. Furthermore, poor operational security around one of the apps allowed ESET researchers to geolocate 148 compromised devices, mainly in Pakistan and India.
In a further effort to mitigate the spread of potentially harmful applications, ESET is an active member of the App Defense Alliance and collaborates with Google to identify and counteract any threats posed by malicious apps. After ESET identified the Rafaqat رفاقت app as malicious, it promptly shared its findings with Google, resulting in the app being removed from the Google Play store. Additionally, other identified apps that were previously available on Google Play have also been removed, following ESET’s discovery.
The victimology of this cyberespionage campaign suggests that the threat actors behind the trojanized apps likely used a honey-trap romance scam to lure their victims into installing the malware. As a result, ESET believes that the primary targets of the attacks were individuals who fell victim to this deceptive technique. Given the specific geographical focus of the campaign and certain clues pointing to Pakistan, it is apparent that the Patchwork APT group’s activities were carried out with targeted intent.
The malicious code executed by the trojanized apps has been attributed to the Patchwork APT group, known for targeting diplomatic and government entities. The VajraSpy malware, operated by the Patchwork APT group, has been identified and analyzed by various cybersecurity organizations, further solidifying the attribution to this group.
Technical analysis of the VajraSpy malware revealed that it has been consistently leveraging the same class names across all observed instances. This points to a high level of sophistication in the development and deployment of the malware, as evidenced by the uniformity across different iterations of the trojanized apps.
The extent of VajraSpy’s malicious functionalities varies based on the permissions granted to the trojanized applications. ESET has categorized the trojanized apps into three groups based on the level of functionality and potential harm they pose to users. This classification provides valuable insight into the varying degrees of risk associated with each of the identified apps.
In conclusion, the identification of these trojanized Android espionage apps underscores the ongoing threat posed by sophisticated cyberespionage campaigns targeting unsuspecting users, particularly in specific geographical regions. The collaboration between cybersecurity organizations, such as ESET and Google, highlights the proactive efforts to identify and mitigate the spread of potentially harmful applications, ultimately safeguarding users from falling victim to such malicious activities. Moving forward, continued vigilance and collaboration within the cybersecurity community will be crucial in addressing and countering similar threats effectively.