A new cybersecurity report has revealed that six Android apps available on the Google Play Store were reportedly used to secretly record users’ conversations, extract messages from WhatsApp and Signal, and potentially engage in broader surveillance. The findings, detailed by ESET cybersecurity researchers, highlight the risk of malware infiltrating even seemingly trustworthy platforms.
How the Spyware Works
The malicious apps, once downloaded, reportedly execute a remote access trojan (RAT) code known as VajraSpy. According to ESET, this code allows attackers to intercept communications and extract sensitive data. Notably, one app, called WaveChat, reportedly could record background audio even when the user wasn’t actively using their phone’s microphone.
Who Was Targeted?
While the threat was not primarily aimed at users in the United States, researchers estimate that the apps were downloaded around 1,400 times, with a primary focus on users in India and Pakistan. The researchers’ findings suggest that the attackers likely used a “honey-trap romance scam” to lure victims into installing the malicious software. This tactic involves creating fake online personas to establish trust and encourage downloads.
Identifying the Apps
ESET researchers identified a total of 12 spyware apps, including the six available on the Google Play Store. The malicious apps are:
- Mashable Light Speed
- Privee Talk
- MeetMe *
- Let’s Chat
- Quick Chat
- Rafaqat رفاق
- Chit Chat
It’s important to note that the popular MeetMe app, which has been downloaded over 100 million times, is not* associated with this malware. Other apps with the same name may exist, so exercise caution.
Broader Context & Recent Findings
This discovery adds to a growing list of concerns about Android app security. In October, ESET researchers uncovered two spyware apps disguised as the Signal app, targeting users in the United Arab Emirates. This highlights the ongoing challenge of malicious actors mimicking popular and trusted apps to deceive users.
A Case of Targeted Deception?
Interestingly, evidence suggests one of the VajraSpy apps might have specifically targeted fans of a well-known Pakistani cricket player. The app was uploaded by a user named Mohammad Rizwan, which is also the name of a prominent professional cricket player (who is not involved with this scheme). This implies a potential strategy to exploit the player’s popularity to distribute the malware.
The Threat Actor
ESET researchers attribute the spyware to Patchwork APT, a known threat actor in the cybersecurity landscape. This group is known for its sophisticated tactics and targeted campaigns.
The discovery of these VajraSpy apps underscores the need for vigilance and caution when downloading apps, even from official app stores. Users should always carefully review app permissions and research developers before installing anything new.
Key Takeaways & Protecting Yourself
This incident serves as a reminder that even established app stores are not foolproof barriers against malware. To protect yourself:
- Download apps only from reputable companies.
- Carefully review app permissions before installing. Grant only the permissions necessary for the app’s functionality.
- Be wary of apps requesting unnecessary permissions.
- Research developers before installing anything new.
- Keep your device’s operating system and security software up to date.
- Be cautious of suspicious links or messages, especially those promising romance or other enticing offers.
The prevalence of these spyware apps reinforces the importance of staying informed and practicing safe browsing habits to mitigate the risk of falling victim to malicious software
