Security researchers from ESET have uncovered a collection of twelve Android apps designed for espionage, all sharing a common malicious code known as VajraSpy. Among these apps, six were discovered on Google Play, while the remaining six were identified on VirusTotal. Interestingly, all of these applications were promoted as messaging tools, except for one that masqueraded as a news app. Unbeknownst to users, these seemingly innocent apps operated as a conduit for the Patchwork APT group’s targeted espionage activities.
The Android apps associated with VajraSpy were uploaded to Google Play within the timeframe spanning from April 2021 to March 2023. The initial app, Privee Talk, was made available on April 1st, 2021, and garnered approximately 15 installations. Subsequently, in October 2022, MeetMe, Let’s Chat, Quick Chat, and Rafaqat رفاق followed suit, accumulating over 1,000 installations collectively. The final app to appear on Google Play was Chit Chat, introduced in March 2023, and surpassing 100 installations.
These apps share notable similarities, primarily functioning as messaging platforms and all containing the VajraSpy RAT code. Notably, MeetMe and Chit Chat exhibit an identical user login interface, as illustrated in Figure 1. Additionally, the Hello Chat app (not available on the Google Play store) and Chit Chat were both signed using the same unique developer certificate (SHA-1 fingerprint: 881541A1104AEDC7CEE504723BD5F63E15DB6420), indicating the involvement of a single developer.
VajraSpy possesses a wide array of espionage capabilities that can be expanded based on the permissions granted to the app incorporating its code. It is capable of pilfering contacts, files, call logs, and SMS messages. Furthermore, certain implementations of VajraSpy can extract messages from popular platforms like WhatsApp and Signal, record phone conversations, and even capture images using the device’s camera.