VajraSpy: A new Android spyware used by Patchwork APT group

layer8 | Feb 3, 2024 min read

ESET researchers have identified twelve Android espionage apps that share the same malicious code. All the observed applications were advertised as messaging tools apart from one that posed as a news app. In the background, these apps covertly execute remote access trojan code called VajraSpy, used for targeted espionage by the Patchwork APT group.

VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code. It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera.

According to the research, this Patchwork APT campaign targeted users mostly in Pakistan.

What is VajraSpy?

VajraSpy is a remote access trojan that can steal various types of data from infected devices, such as contacts, files, call logs, SMS messages, device location, and a list of installed apps. Some variants of VajraSpy can also intercept messages and notifications from WhatsApp, WhatsApp Business, Signal, and other messaging apps, record phone calls and surrounding audio, take pictures using the camera, log keystrokes, and scan for Wi-Fi networks.

VajraSpy is customizable and its capabilities depend on the permissions granted to the app that carries its code. The malware communicates with its command and control (C&C) server using HTTPS, and uses Google’s Firebase server as a one-way communication channel. The malware can receive commands from the C&C server to perform various actions, such as uploading data, taking pictures, recording audio, or scanning for Wi-Fi networks.

The researchers classified the trojanized apps into three groups based on their malicious functionalities:

  • Group One: These apps can exfiltrate files with specific extensions and intercept notifications from any app, including SMS messages. They include MeetMe, Privee Talk, Let’s Chat, Quick Chat, GlowChat, Chit Chat, and Hello Chat.
  • Group Two: These apps have the same capabilities as Group One, plus they can exploit accessibility services to intercept messages from WhatsApp, WhatsApp Business, and Signal. They include TikTalk, Nidus, YohooTalk, Wave Chat, and Crazy Talk.
  • Group Three: This group consists of only one app, Rafaqat رفاقت, which is a trojanized news app. It can exfiltrate files with specific extensions and intercept notifications, but it does not request intrusive permissions like access to SMS messages or call logs.

How is VajraSpy distributed?

ESET researchers discovered 12 Android apps that contain VajraSpy code, six of which were available on Google Play, and six of which were found in the wild. The apps on Google Play reached over 1,400 installs and are still available on alternative app stores. The apps are mostly disguised as messaging tools, except for one that poses as a news app.

The researchers believe that the victims were lured into installing the malicious apps via a honey-trap romance scam, where the attackers pretended to be interested in them on another platform, and then convinced them to switch to a trojanized chat app. This was also reported in the Qihoo 360 research, where threat actors started initial communication with victims via Facebook Messenger and WhatsApp, then moved to a trojanized chat application.

The apps require the user to create an account and verify their phone number using a one-time SMS code, but the account creation is mostly irrelevant to the malware, as VajraSpy runs regardless. The apps use Firebase Hosting, a web content hosting service, for the C&C server, where they store the victims’ account information and exchanged messages.

Who is behind VajraSpy?

Based on several indicators, such as code similarities, distribution domains, and victimology, ESET researchers attributed VajraSpy to the Patchwork APT group, which is also known as APT-Q-43 or Fire Demon Snake. This group has been active since at least 2015, and has been targeting mostly diplomatic and government entities in South Asia, especially Pakistan and India. The group is known for using a patchwork of code snippets from various sources, hence its name.

The researchers found evidence that the campaign targeted mostly Pakistani users, such as the name of a popular Pakistani cricket player used as the developer name for one of the apps, the Pakistani country code preselected on the login screen of some apps, and the Urdu language used for one of the app names. They also geolocated 148 compromised devices in Pakistan and India, based on a security flaw in one of the apps.

How to protect yourself from VajraSpy?

To avoid falling victim to VajraSpy or similar spyware, ESET recommends the following:

  • Use a reputable mobile security solution to detect and block malicious apps.
  • Only download apps from official app stores, and pay attention to the ratings, reviews, and permissions of the apps.
  • Be wary of clicking on any links to download apps that are sent in chat conversations, especially from unknown or untrusted sources.
  • Be vigilant and cautious of any unsolicited romantic or sexual advances online, as they could be part of a social engineering scheme.