ESET Research Uncovers Espionage Apps Utilizing Romance Scams in Pakistan

ESET researchers have identified 12 Android espionage apps sharing the same malicious code, with six of them available on Google Play.

All the observed applications were advertised as messaging tools, except for one posing as a news app. However, in the background, these apps covertly execute remote access trojan (RAT) code called VajraSpy, used for targeted espionage by the Patchwork APT group. The campaign primarily targeted users in Pakistan. Based on ESET’s investigation, the threat actors behind the trojanized apps likely used a honey-trap romance scam to lure their victims into installing the malware.

VajraSpy exhibits a variety of espionage functionalities that can be extended based on the permissions granted to the app containing its code. It is capable of stealing contacts, files, call logs, and SMS messages. Moreover, certain implementations allow it to extract WhatsApp and Signal messages, record phone calls, and capture pictures using the device's camera.

Based on available data, the malicious apps previously available on Google Play were downloaded over 1,400 times. During ESET's investigation, the weak operational security of one of the apps resulted in some victim data being exposed, allowing researchers to geolocate 148 compromised devices in Pakistan and India. These devices were likely the actual targets of the attacks.

ESET is an active member of the App Defence Alliance and a key partner in the malware mitigation program, which aims to swiftly identify Potentially Harmful Applications (PHAs) and prevent them from being listed on Google Play. As a partner in the Google App Defence Alliance, ESET detected the malicious apps and promptly reported them to Google. Consequently, they have been removed from the Play Store. However, it is worth noting that these apps may still be accessible through alternative app stores.

Last year, ESET discovered a trojanized news app called Rafaqat that was used to steal user information. Further investigation revealed several additional applications containing the same malicious code. In total, ESET analyzed 12 trojanized apps, six of which (including Rafaqat) were available on Google Play, while the remaining six were found in the wild and identified in the VirusTotal database. These apps were distributed under various names, such as Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafaqat, Chit Chat, YohooTalk, TikTalk, Hello Chat, Nidus, GlowChat, and Wave Chat.

To lure their victims, the threat actors likely employed targeted honey-trap romance scams, initially contacting potential victims on another platform and then convincing them to switch to a trojanized chat application. Lukáš Štefanko, an ESET researcher who discovered this Android spyware, advises caution: "Cybercriminals use social engineering as a powerful weapon. We strongly advise against clicking on any links to download an application that are sent in a chat conversation. It can be difficult to resist suspicious romantic advances, but it pays off to always remain vigilant."

According to the MITRE ATT&CK database, Patchwork has not been definitively attributed, and only circumstantial evidence suggests the group may have a pro-Indian or Indian affiliation. This APT group primarily targets diplomatic and government entities.

For more technical information about VajraSpy and the spying apps associated with the Patchwork APT group, you can read the blog post titled "VajraSpy: A Patchwork of Espionage Apps" on WeLiveSecurity.com. Make sure to follow ESET Research on X (formerly known as Twitter) for the latest news and updates from ESET Research.