The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India and infect their Android devices with a remote access trojan called Vajra Spy.
Slovakian cybersecurity firm ESET said it had discovered 12 spying apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.
“VajraSpy has a range of spying capabilities that can be expanded based on the permissions granted to the app bundled with its code,” said security researcher Lukáš Štefanko. “It steals contacts, files, call logs and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls and take camera photos.”
It is estimated that as many as 148 devices in Pakistan and India have been compromised in the wild. Malicious apps distributed via Google Play and elsewhere mostly masqueraded as messaging applications, with the most recent ones propagated as late as September 2023.
- Privee Talk (com.priv.talk)
- MeetMe (com.meeete.org)
- Let’s chat (com.letsm.chat)
- Quick Chat (com.qqc.chat)
- Rafaqat boys (com.rafaqat.news)
- ChitChat (com.chit.chat)
- YohooTalk (com.yoho.talk)
- TikTalk (com.tik.talk)
- Hello Chat (com.hello.chat)
- Nidus (com.nidus.no or com.nionio.org)
- GlowChat (com.glow.glow)
- WaveChat (com.wave.chat)
Rafaqat رفاق is known for being the only non-messaging app and has been advertised as a way to access breaking news. It was uploaded to Google Play on October 26, 2022 by a developer named Mohammad Rizwan and accumulated a total of 1,000 downloads before being removed by Google.
The exact distribution vector of the malware is currently unclear, although the nature of the apps suggests that targets were tricked into downloading them as part of a romance scam in which the perpetrators convince them to install these bogus apps under the guise of having a safer conversation.
This is not the first time that Patchwork, a criminal group with suspected ties to India, has exploited this technique. In March 2023, Meta revealed that the hacking team created fictitious personas on Facebook and Instagram to share links to unauthorized apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.
It is also not the first time attackers have been observed using VajraRAT, which was previously documented by Chinese cybersecurity firm QiAnXin in early 2022 as being used in a campaign directed against the Pakistani government and military entities. Vajra takes its name from the Sanskrit word meaning lightning.
Qihoo 360, in its own analysis of the malware in November 2023, linked it to a threat actor tracked under the nickname Fire Demon Snake (also known as APT-C-52).
Outside of Pakistan and India, Nepalese government bodies have also likely been targeted via a phishing campaign providing a Nim-based backdoor. It was attributed to the SideWinder group, another group that has been reported as operating with Indian interests in mind.
The development comes as financially motivated criminals from Pakistan and India have been discovered targeting Indian Android users with a fake lending app (Moneyfine or “com.moneyfine.fine”) as part of a scam extortionist who manipulates selfies uploaded as part of a knows your client’s KYC process to create a nude image and threatens victims to make a payment or risk having the edited photos distributed to their contacts.
“These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deploy malware to compromise their devices, and use threats to extort money,” Cyfirma said in an analysis late in the last month.
It also comes in the context of a broader trend of people falling prey to predatory lending apps, known for harvesting sensitive information from infected devices and employing blackmail and harassment tactics to pressure victims into making payments.
Teenagers from Australia, Canada and the United States are increasingly being targeted by financial sextortion attacks conducted by the Nigeria-based cybercrime group known as Yahoo Boys, according to a recent report released by the Network Contagion Research Institute (NCRI).
“Almost all of this activity is linked to West African cybercriminals known as Yahoo Boys, who primarily target English-speaking minors and young adults on Instagram, Snapchat and Wizz,” the NCRI said.
Wizz, which has since had its own Android and iOS apps pulled down from the Apple App Store and Google Play Store, countered the NCRI report, saying it is “not aware of any successful extortion attempts that occurred while communicating on the Wizz app.”