The Indian group APT Patchwork, known for its targeted spear phishing cyber attacks against Pakistanis, was caught abusing Google Play to distribute six different Android spy applications posing as legitimate messaging and news services. In reality, they come loaded with a newly discovered Remote Access Trojan (RAT) called VajraSpy.
ESET researchers who discovered the campaign found that VjjaraSpy RAT intercepts calls, SMS messages, files, contacts, and more. according to the security firm Patchwork report this week. They can also extract WhatsApp and Signal messages, record phone calls and take photos with the camera. In total, the researchers found that RAT-contaminated applications were downloaded from the Google Play Store more than 1,400 times.
In addition to the six Google Play apps used to provide VajraSpy, the ESET team found six others distributed in third-party/unofficial app stores. The fake apps have names that include Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafagat and Faraqat.
“Based on several indicators, the campaign mainly targeted Pakistani users: Rafaqat رفاقت, one of the malicious apps, used the name of a famous Pakistani cricket player as the developer name on Google Play; the apps that required a number of phones upon account creation have the country code of Pakistan selected by default; and many of the compromised devices discovered as a result of the security flaw were located in Pakistan,” according to the report.
To trick victims into downloading the apps, cybercriminals used the promise of love in targeted attacks, according to the report.
“To lure their victims, the threat actors likely used targeted romance scams, initially contacting victims on another platform and then convincing them to switch to a Trojanized chat application,” the ESET report adds.
ESET reported the apps to Google and they were removed from the Play Store.