An Android remote access trojan known as VajraSpy was found in 12 malicious applications, six of which were available on Google Play from April 1, 2021, through September 10, 2023.
The malicious apps, which have now been removed from Google Play but remain available on third-party app stores, are disguised as messaging or news apps.
Those installing the apps became infected with VajraSpy, allowing the malware to steal personal data, including contacts and messages, and depending on the granted permissions, even to record their phone calls.
In 2022, the threat actor unintentionally revealed details of their own campaign when they accidentally infected their infrastructure with the 'Ragnatela' RAT, a tool they were employing at the time.
The link between VajraSpy and the activity cluster that ESET identifies as Patchwork was first established by QiAnXin in 2022, followed by Meta in March 2023, and Qihoo 360 in November 2023.
ESET researcher Lukas Stefanko found 12 malicious Android applications containing the same VajraSpy RAT code, six of which were uploaded on Google Play, where they were downloaded roughly 1,400 times.
Third-party app stores do not report download counts, so the number of people who have installed them through these platforms is unknown.
ESET's telemetry analysis indicates that most victims are located in Pakistan and India and are most likely tricked into installing the fake messaging apps via a romance scam.
VajraSpy is a spyware and RAT that supports various espionage functionalities that mostly revolve around data theft.
Intercept and extract messages from popular encrypted communication apps like WhatsApp and Signal.
Intercept notifications from various apps in real time.
The power of VajraSpy lies in its modular nature and adaptability, while the extent of its spying capabilities is determined by the level of permissions it obtains on an infected device.
ESET concludes by advising that users should refrain from downloading obscure chat apps recommended by people they don't know, as this is a common and longstanding tactic cybercriminals employ to infiltrate devices.
While Google Play introduces new policies that make it harder for malware to hide in apps, threat actors continue to sneak their malicious apps onto the platform.
Previous attacks performed much better than this VajraSpy spyware campaign, such as an October adware campaign amassing 2 million installs.
More recently, it was discovered that the SpyLoan information-stealing malware was downloaded 12 million times from Google Play in 2023.
GrapheneOS: Frequent Android auto-reboots block firmware exploits.
New Xamalicious Android malware installed 330k times on Google Play.
SpyLoan Android malware on Google Play downloaded 12 million times.
Exploit released for Android local elevation flaw impacting 7 OEMs. Google Pixel phones unusable after January 2024 system update.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 01 Feb 2024 19:10:09 +0000