Google Play Used to Spread 'Patchwork' APT's Espionage Apps
The Indian state-sponsored cyberattackers lurked in Google's official app store, distributing a new RAT and spying on Pakistanis.
February 2, 2024
The Indian APT group Patchwork, known for its targeted spear phishing cyberattacks against Pakistanis, has been caught abusing Google Play to distribute six different Android espionage applications posing as legit messaging and news services. In reality, they come loaded with a newly discovered remote access Trojan (RAT) called VajraSpy.
Researchers from ESET who uncovered the campaign found that VjjaraSpy RAT intercepts calls, SMS messages, files, contacts, and more, according to the security firm's Patchwork report this week. They can also extract WhatsApp and Signal messages, record phone calls, and take camera pictures. In total, the researchers found the RAT-tainted applications were downloaded from the Google Play store more than 1,400 times.
In addition to the six Google Play apps being used to deliver VajraSpy, the ESET team found an additional six being distributed in third-party/unofficial app stores. The phony apps go by names that include Privee Talk, MeetMe, Let's Chat, Quick Chat, Rafagat, and Faraqat.
"Based on several indicators, the campaign targeted mostly Pakistani users: Rafaqat رفاقت, one of the malicious apps, used the name of a popular Pakistani cricket player as the developer name on Google Play; the apps that requested a phone number upon account creation have the Pakistan country code selected by default; and many of the compromised devices discovered through the security flaw were located in Pakistan," according to the report.
To lure victims into downloading the apps, the cybercriminals used the promise of love in targeted attacks, the report found.
"To entice their victims, the threat actors likely used targeted honey-trap romance scams, initially contacting the victims on another platform and then convincing them to switch to a trojanized chat application," ESET's report added.
ESET reported the apps to Google and they have been removed from the Play store.
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024