Android has had its fair share of security issues, malicious apps, and trojans. The platform, like any other, is not invulnerable to malicious actors and it can be a headache dealing with these issues. According to Bleeping Computer, a remote access trojan known as VajraSpy, was found in 12 malicious apps and six of those apps were available on the Google Play Store from April 2021 through September 2023.
The apps have since been removed from Google Play but they can be found on third-party app stores and are being disguised as messaging and news apps. Installing the apps on your Android device will infect that device with VajraSpy which can then steal personal data from the target device. This data includes contacts and messages and in some cases, even record phone calls on the device.
Bleeping Computer went on to report; In 2022, the threat actor unintentionally revealed details of their own campaign when they accidentally infected their infrastructure with the ‘Ragnatela’ RAT, a tool they were employing at the time. This misstep provided Malwarebytes with a window into the Patchwork’s operations.
The link between VajraSpy and the activity cluster that ESET identifies as Patchwork was first established by QiAnXin in 2022 (attributing to APT-Q-43), followed by Meta in March 2023, and Qihoo 360 in November 2023 (attributing to APT-C-52).
Here are the apps that were part of this discovery:
- The apps that were available on Google Play are:
- Rafaqat رفاقت (news)
- Privee Talk (messaging)
- MeetMe (messaging)
- Let’s Chat (messaging)
- Quick Chat (messaging)
- Chit Chat (messaging)
- VajraSpy apps available outside Google Play are all bogus messaging apps:
- Hello Chat
- Wave Chat