In a recent revelation, cybersecurity researchers at ESET identified a notorious Android Remote Access Trojan (RAT) known as VajraSpy lurking within 12 malicious applications. Shockingly, six of these apps were found on Google Play between April 1, 2021, and September 10, 2023.
Disguised as innocent messaging or news apps, the malicious software was surreptitiously stealing personal data, including contacts and messages. Depending on the granted permissions, it could even record phone calls. Although these apps have been removed from Google Play, they still pose a threat as they linger on third-party app stores.
The Patchwork APT Group, known for its activities since late 2015, was identified as the culprit behind this Android espionage campaign. ESET researchers traced the group's operations back to an inadvertent reveal in 2022 when they accidentally infected their own infrastructure with the 'Ragnatela' RAT. This security lapse provided insights into Patchwork's operations.
The VajraSpy campaign targeted primarily users in Pakistan, and the link between the malware and the Patchwork APT group was initially established by QiAnXin in 2022, followed by Meta in March 2023 and Qihoo 360 in November 2023.
ESET researcher Lukas Stefanko discovered 12 Android applications containing the VajraSpy RAT code, with six infiltrating Google Play and amassing around 1,400 downloads. The rogue apps on Google Play masqueraded as seemingly harmless platforms, including 'Rafaqat' (news) and various messaging apps like 'Privee Talk,' 'MeetMe,' and 'Chit Chat.'
Interestingly, third-party app stores do not disclose download counts, leaving the extent of the threat ambiguous. Telemetry analysis from ESET indicates that most victims, potentially tricked through romance scams, are located in Pakistan and India.
VajraSpy, classified as both spyware and RAT, exhibits a range of espionage functionalities:
- Gathering and transmitting personal data, such as contacts, call logs, and SMS messages.
- Intercepting and extracting messages from encrypted communication apps like WhatsApp and Signal.
- Recording phone calls for eavesdropping.
- Activating the device's camera for surveillance purposes.
- Intercepting real-time notifications from various apps.
- Searching and exfiltrating documents, images, audio, and other file types.
The modular and adaptable nature of VajraSpy enables it to exploit the infected device based on the permissions it acquires. ESET urges users to exercise caution and refrain from downloading obscure chat apps, particularly those recommended by unfamiliar sources, to mitigate the risk of falling victim to such cyber threats.
While Google Play implements stricter policies to curb malware, threat actors persist in finding ways to infiltrate the platform with malicious apps. Recent incidents, such as a massive adware campaign accumulating 2 million installs in October, and the SpyLoan malware amassing 12 million downloads from Google Play in 2023, underscore the ongoing challenges in securing the Android ecosystem.
0 comments:
Post a Comment