The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy.
Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.
"VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code," security researcher Lukáš Štefanko said. "It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera."
As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded as messaging applications, with the most recent ones propagated as recently as September 2023.
- Privee Talk (com.priv.talk)
- MeetMe (com.meeete.org)
- Let's Chat (com.letsm.chat)
- Quick Chat (com.qqc.chat)
- Rafaqat رفاق (com.rafaqat.news)
- Chit Chat (com.chit.chat)
- YohooTalk (com.yoho.talk)
- TikTalk (com.tik.talk)
- Hello Chat (com.hello.chat)
- Nidus (com.nidus.no or com.nionio.org)
- GlowChat (com.glow.glow)
- Wave Chat (com.wave.chat)
Rafaqat رفاق is notable for the fact that it's the only non-messaging app and was advertised as a way to access the latest news. It was uploaded to Google Play on October 26, 2022, by a developer named Mohammad Rizwan and amassed a total of 1,000 downloads before it was taken down by Google.
The exact distribution vector for the malware is currently not clear, although the nature of the apps suggests that the targets were tricked into downloading them as part of a honey-trap romance scam, where the perpetrators convince them to install these bogus apps under the pretext of having a more secure conversation.
This is not the first time Patchwork – a threat actor with suspected ties to India – has leveraged this technique. In March 2023, Meta revealed that the hacking crew created fictitious personas on Facebook and Instagram to share links to rogue apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.
It's also not the first time that the attackers have been observed deploying VajraRAT, which was previously documented by Chinese cybersecurity company QiAnXin in early 2022 as having been used in a campaign aimed at Pakistani government and military entities. Vajra gets its name from the Sanskrit word for thunderbolt.
Qihoo 360, in its own analysis of the malware in November 2023, tied it to a threat actor it tracks under the moniker Fire Demon Snake (aka APT-C-52).
Outside of Pakistan and India, Nepalese government entities have also been likely targeted via a phishing campaign that delivers a Nim-based backdoor. It has been attributed to the SideWinder group, another outfit that has been flagged as operating with Indian interests in mind.
The development comes as financially motivated threat actors from Pakistan and India have been found targeting Indian Android users with a fake loan app (Moneyfine or "com.moneyfine.fine") as part of an extortion scam that manipulates the selfie uploaded as part of a know your customer (KYC) process to create a nude image and threatens victims to make a payment or risk getting the doctored photos distributed to their contacts.
"These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deliver malware to compromise their devices, and employ threats to extort money," Cyfirma said in an analysis late last month.
It also comes amid a broader trend of people falling prey to predatory loan apps, which are known to harvest sensitive information from infected devices, and employ blackmail and harassment tactics to pressure victims into making the payments.
According to a recent report published by the Network Contagion Research Institute (NCRI), teenagers from Australia, Canada, and the U.S. are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminal group known as Yahoo Boys.
"Nearly all of this activity is linked to West African cybercriminals known as the Yahoo Boys, who are primarily targeting English-speaking minors and young adults on Instagram, Snapchat, and Wizz," NCRI said.
Wizz, which has since had its Android and iOS apps taken down from the Apple App Store and the Google Play Store, countered the NCRI report, stating it's "not aware of any successful extortion attempts that occurred while communicating on the Wizz app."