Skip to content

Incident Overview:

A sophisticated Android Remote Access Trojan (RAT), named VajraSpy, has been identified within 12 applications, half of which were distributed through the official Google Play Store between 1 April 2021, and 10 September 2023. Despite removal from Google Play, these applications persist on various third-party platforms, often masquerading as legitimate messaging and news services.

Figure 1: Android Google Play

Impact and Method of Infection:

Upon installation, VajraSpy engages in extensive personal data exfiltration, including contacts, messages, and call logs. Its capabilities extend to recording phone conversations and, with sufficient permissions, activating the device’s camera for surveillance. The malware specifically targets encrypted communication apps like WhatsApp and Signal to intercept messages, in addition to stealing documents and media files.

Attribution and Historical Context:

The Patchwork APT group, operational since late 2015 with a focus on South Asian targets, particularly in Pakistan, has been identified as the orchestrator. Their activities were inadvertently exposed in 2022 due to self-infection with another RAT, providing insights into their modus operandi. The linkage of VajraSpy to Patchwork was established through collaborative efforts by cyber security firms QiAnXin, Meta, and Qihoo 360, highlighting the group’s ongoing espionage campaigns.

Geographical Distribution:

ESET’s telemetry data suggests the primary victimology includes individuals within Pakistan and India, with indications of deployment through romance scams to trick users into installing these counterfeit applications.

Technical Analysis:

VajraSpy’s espionage framework is noted for its modular design and adaptability, with its intrusion depth directly correlated to the permissions granted by the user. Its multifunctional nature allows for comprehensive surveillance and data theft, underscoring the advanced threat it poses to personal security.

Preventative Measures and Recommendations:

Users are advised to exercise caution and scepticism towards unfamiliar chat applications, especially those recommended by unknown entities. This practice is a commonly exploited vector by cybercriminals to facilitate device infiltration.

Industry Response:

Google has responded with enhanced Play Store policies to mitigate malware propagation, although adversaries continue to find pathways for their malicious software. Noteworthy is the comparative analysis of malware campaigns, with previous instances achieving significant penetration, such as an adware campaign securing 2 million installs and the SpyLoan malware attaining 12 million downloads in 2023.

Google’s Stance:

In light of these discoveries, Google emphasises its commitment to app integrity and user privacy. The company assures that violative apps face strict actions, bolstered by Google Play Protect. This service aims to shield users from identified malicious behaviours across all Android devices, extending its protection to apps sourced outside of the Google Play ecosystem.

Security Action:

Organisations and individuals are urged to remain vigilant, update security protocols, and ensure all applications are sourced from reputable platforms. Continuous monitoring and adherence to cybersecurity best practices are paramount in defending against such sophisticated threats.

Related links: