An Indian APT cybercrime group known as Patchwork has been discovered using Google Play to distribute six different Android espionage applications, posing as legitimate messaging and news services. These applications were found to contain a newly discovered remote access Trojan (RAT) called VajraSpy.
Researchers from ESET, who uncovered the campaign, found that the VajraSpy RAT is capable of intercepting calls, SMS messages, files, contacts, and more. Additionally, the malware can extract WhatsApp and Signal messages, record phone calls, and take camera pictures. The researchers found that the RAT-tainted applications were downloaded from the Google Play store over 1,400 times.
In addition to the six Google Play apps being used to deliver VajraSpy, the ESET team also found an additional six being distributed in third-party and unofficial app stores. These phony apps include Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafagat, and Faraqat.
The campaign targeted mostly Pakistani users, as indicated by several identifying factors. For example, one of the malicious apps used the name of a popular Pakistani cricket player as the developer name on Google Play. Additionally, apps that requested a phone number upon account creation had the Pakistan country code selected by default, and many of the compromised devices discovered through the security flaw were located in Pakistan.
To entice victims into downloading the apps, the cybercriminals used the promise of love in targeted attacks. ESET’s report revealed that the threat actors likely used targeted honey-trap romance scams, initially contacting the victims on another platform and then convincing them to switch to a trojanized chat application.
Upon discovering the malicious apps, ESET reported them to Google, and they have since been removed from the Play store.
The discovery of the Indian APT group’s use of Google Play to distribute Android espionage applications highlights the ongoing threat of cybercrime and the need for users to exercise caution when downloading apps. This incident serves as a reminder of the importance of cybersecurity measures and the need for continued vigilance in the face of evolving cyber threats.