ESET researchers have recognized twelve Android espionage apps that share the identical malicious code: six had been accessible on Google Play, and 6 had been discovered on VirusTotal. All of the noticed functions had been marketed as messaging instruments other than one which posed as a information app. Within the background, these apps covertly execute distant entry trojan (RAT) code known as VajraSpy, used for focused espionage by the Patchwork APT group.
VajraSpy has a variety of espionage functionalities that may be expanded primarily based on the permissions granted to the app bundled with its code. It steals contacts, information, name logs, and SMS messages, however a few of its implementations may even extract WhatsApp and Sign messages, document cellphone calls, and take footage with the digital camera.
In accordance with our analysis, this Patchwork APT marketing campaign focused customers principally in Pakistan.
Key factors of the report:
- We found a brand new cyberespionage marketing campaign that, with a excessive stage of confidence, we attribute to the Patchwork APT group.
- The marketing campaign leveraged Google Play to distribute six malicious apps bundled with VajraSpy RAT code; six extra had been distributed within the wild.
- The apps on Google Play reached over 1,400 installs and are nonetheless accessible on various app shops.
- Poor operational safety round one of many apps allowed us to geolocate 148 compromised gadgets.
Overview
In January 2023, we detected a trojanized information app known as Rafaqat رفاقت (the Urdu phrase interprets to Fellowship) getting used to steal person info. Additional analysis uncovered a number of extra functions with the identical malicious code as Rafaqat رفاقت. A few of these apps shared the identical developer certificates and person interface. In complete, we analyzed 12 trojanized apps, six of which (together with Rafaqat رفاقت) had been accessible on Google Play, and 6 of which had been discovered within the wild. The six malicious apps that had been accessible on Google Play had been downloaded greater than 1,400 instances altogether.
Based mostly on our investigation, the menace actors behind the trojanized apps in all probability used a honey-trap romance rip-off to lure their victims into putting in the malware.
Notice: This analysis covers particular apps and bundle names which have since been faraway from the Google Play retailer. Any equally or identically named apps, equivalent to MeetMe, which might be nonetheless accessible on Google Play are purely coincidental and haven’t been affected.
All of the apps that had been in some unspecified time in the future accessible on Google Play had been uploaded there between April 2021 and March 2023. The primary of the apps to look was Privee Speak, uploaded on April 1st, 2021, reaching round 15 installs. Then, in October 2022, it was adopted by MeetMe, Let’s Chat, Fast Chat, and Rafaqat رفاق, put in altogether over 1,000 instances. The final app accessible on Google Play was Chit Chat, which appeared in March 2023 and reached greater than 100 installs.
The apps share a number of commonalities: most are messaging functions, and all are bundled with the VajraSpy RAT code. MeetMe and Chit Chat use an equivalent person login interface; see Determine 1. Moreover, the Good day Chat (not accessible on Google Play retailer) and Chit Chat apps had been signed by the identical distinctive developer certificates (SHA-1 fingerprint: 881541A1104AEDC7CEE504723BD5F63E15DB6420), which implies the identical developer created them.
Aside from the apps that was once accessible on Google Play, six extra messaging functions had been uploaded to VirusTotal. Chronologically, YohooTalk was the primary to look there, in February 2022. The TikTalk app appeared on VirusTotal late in April 2022; virtually instantly afterward, MalwareHunterTeam on X (previously Twitter) shared it with the area the place it was accessible for obtain (fich[.]buzz). Good day Chat was uploaded in April 2023. Nidus and GlowChat had been uploaded there in July 2023, and lastly, Wave Chat in September 2023. These six trojanized apps comprise the identical malicious code as these discovered on Google Play.
Determine 2 exhibits the dates when every utility turned accessible, both on Google Play or as a pattern on VirusTotal.
ESET is a member of the App Protection Alliance and an lively accomplice within the malware mitigation program, which goals to rapidly discover Probably Dangerous Functions (PHAs) and cease them earlier than they ever make it onto Google Play.
As a Google App Protection Alliance accomplice, ESET recognized Rafaqat رفاقت as malicious and promptly shared these findings with Google. At that cut-off date, Rafaqat رفاقت had already been faraway from the storefront. Different apps, on the time of sharing pattern with us, had been scanned and never flagged as malicious. All of the apps recognized within the report that had been on Google Play are now not on accessible on the Play retailer.
Victimology
Whereas ESET telemetry knowledge registered detections from Malaysia solely, we imagine these had been solely incidental and didn’t represent the precise targets of the marketing campaign. Throughout our investigation, weak operational safety of one of many apps led to some sufferer knowledge being uncovered, which allowed us to geolocate 148 compromised gadgets in Pakistan and India. These had been doubtless the precise targets of the assaults.
One other clue pointing towards Pakistan is the identify of the developer used for the Google Play itemizing of the Rafaqat رفاقت app. The menace actors used the identify Mohammad Rizwan, which can be the identify of one of the crucial in style cricket players from Pakistan. Rafaqat رفاقت and a number of other extra of those trojanized apps additionally had the Pakistani nation calling code chosen by default on their login display. In accordance with Google Translate, رفاقت means “fellowship” in Urdu. Urdu is one in all nationwide languages in Pakistan.
We imagine the victims had been approached through a honey-trap romance rip-off the place the marketing campaign operators feigned romantic and/or sexual curiosity of their targets on one other platform, after which satisfied them to obtain these trojanized apps.
Attribution to Patchwork
The malicious code executed by the apps was first found in March 2022 by QiAnXin. They named it VajraSpy and attributed it to APT-Q-43. This APT group targets principally diplomatic and authorities entities.
In March 2023, Meta revealed its first quarter adversarial threat report that accommodates their take down operation and techniques, strategies and procedures (TTPs) of assorted APT teams. The report contains take down operation performed by Patchwork APT group that consists of faux social media accounts, Android malware hashes, and distribution vector. The Threat indicators part of that report contains samples that had been analyzed and reported by QiAnXin with the identical distribution domains.
In November 2023, Qihoo 360 independently published an article matching malicious apps described by Meta and this report, attributing them to VajraSpy malware operated by Fireplace Demon Snake (APT-C-52), a brand new APT group.
Our evaluation of those apps revealed that all of them share the identical malicious code and belong to the identical malware household, VajraSpy. Meta’s report contains extra complete info, which could give Meta higher visibility on the campaigns and in addition extra knowledge to determine the APT group. Due to that, we attributed VajraSpy to the Patchwork APT group.
Technical evaluation
VajraSpy is a customizable trojan normally disguised as a messaging utility, used to exfiltrate person knowledge. We seen that the malware has been utilizing the identical class names throughout all its noticed situations, be they the samples discovered by ESET or by different researchers.
As an example, Determine 3 exhibits a comparability of malicious courses of variants of VajraSpy malware. The screenshot on the left is an inventory of malicious courses present in Click on App found by Meta, the one within the center lists the malicious courses in MeetMe (found by ESET), and the screenshot on the suitable exhibits the malicious courses in WaveChat, a malicious app discovered within the wild. All of the apps share the identical employee courses chargeable for knowledge exfiltration.
Determine 4 and Determine 5 present the code chargeable for exfiltrating notifications from the Loopy Speak app talked about in Meta’s report, and the Nidus app, respectively.
The extent of VajraSpy’s malicious functionalities varies primarily based on the permissions granted to the trojanized utility.
For simpler evaluation, we have now break up the trojanized apps into three teams.
Group One: trojanized messaging functions with primary functionalities
The primary group contains all of the trojanized messaging functions that was once accessible on Google Play, i.e., MeetMe, Privee Speak, Let’s Chat, Fast Chat, GlowChat, and Chit Chat. It additionally contains Good day Chat, which wasn’t accessible on Google Play.
All of the functions on this group present normal messaging performance, however first, they require the person to create an account. Creating an account is determined by cellphone quantity verification through a one-time SMS code – if the cellphone quantity can’t be verified, the account won’t be created. Nevertheless, whether or not the account is created or not is generally irrelevant to the malware, as VajraSpy runs regardless. The one potential utility of getting the sufferer confirm the cellphone quantity could possibly be for the menace actors to study their sufferer’s nation code, however that is simply hypothesis on our half.
These apps share the identical malicious performance, being able to exfiltrating the next:
- contacts,
- SMS messages,
- name logs,
- machine location,
- an inventory of put in apps, and
- information with particular extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).
A few of the apps can exploit their permissions to entry notifications. If such permission is granted, VajraSpy can intercept obtained messages from any messaging utility, together with SMS messages.
Determine 6 exhibits an inventory of file extensions that VajraSpy is able to exfiltrating from a tool.
The operators behind the assaults used Firebase Internet hosting, an internet content material internet hosting service, for the C&C server. Aside from serving because the C&C, the server was additionally used to retailer the victims’ account info and exchanged messages. We reported the server to Google, since they supply Firebase.
Group Two: trojanized messaging functions with superior functionalities
Group two consists of TikTalk, Nidus, YohooTalk, and Wave Chat, in addition to the situations of VajraSpy malware described in different analysis items, equivalent to Loopy Speak (coated by Meta and QiAnXin).
As with these in Group One, these apps ask the potential sufferer to create an account and confirm their cellphone quantity utilizing a one-time SMS code. The account received’t be created if the cellphone quantity shouldn’t be verified, however VajraSpy will run anyway.
The apps on this group possess expanded capabilities in comparison with these in Group One. Along with the primary group’s functionalities, these apps are capable of exploit built-in accessibility choices to intercept WhatsApp, WhatsApp Enterprise, and Sign communication. VajraSpy logs any seen communication from these apps within the console and within the native database, and subsequently uploads it to the Firebase-hosted C&C server. As an example, Determine 7 depicts the malware logging WhatsApp communication in actual time.
Moreover, their prolonged capabilities enable them to spy on chat communications and intercept notifications. All in all, the Group Two apps are able to exfiltrating the next along with these that may be exfiltrated by Group One apps:
- obtained notifications, and
- exchanged messages in WhatsApp, WhatsApp Enterprise, and Sign.
One of many apps on this group, Wave Chat, has much more malicious capabilities on high of these we have now already coated. It additionally behaves in a different way upon preliminary launch, asking the person to permit accessibility providers. As soon as allowed, these providers robotically allow all the mandatory permissions on the person’s behalf, increasing the scope of VajraSpy’s entry to the machine. Along with the beforehand talked about malicious performance, Wave Chat can even:
- document cellphone calls,
- document calls from WhatsApp, WhatsApp Enterprise, Sign, and Telegram,
- log keystrokes,
- take footage utilizing the digital camera,
- document surrounding audio, and
- scan for Wi-Fi networks.
Wave Chat can obtain a C&C command to take an image utilizing the digital camera, and one other command to document audio, both for 60 seconds (by default) or for the period of time specified within the server response. The captured knowledge is then exfiltrated to the C&C through POST requests.
To obtain instructions and retailer person messages, SMS messages, and the contact listing, Wave Chat makes use of a Firebase server. For different exfiltrated knowledge, it makes use of a distinct C&C server and a consumer primarily based on an open-source venture known as Retrofit. Retrofit is an Android REST consumer in Java that makes it straightforward to retrieve and add knowledge through a REST-based net service. VajraSpy makes use of it to add person knowledge unencrypted to the C&C server through HTTP.
Group Three: non-messaging functions
Thus far, the one utility that belongs to this group is the one which kicked off this analysis within the first place – Rafaqat رفاقت. It’s the solely VajraSpy utility that isn’t used for messaging, and is ostensibly used to ship the most recent information. Since information apps don’t must request intrusive permissions equivalent to entry to SMS messages or name logs, the malicious capabilities of Rafaqat رفاقت are restricted when in comparison with the opposite analyzed functions.
Rafaqat رفاقت was uploaded to Google Play on October 26th, 2022 by a developer going by the identify Mohammad Rizwan, which can be the identify of one of the crucial in style Pakistani cricket gamers. The applying reached over a thousand installs earlier than being faraway from the Google Play retailer.
Curiously, the identical developer submitted two extra apps with an equivalent identify and malicious code for add to Google Play some weeks earlier than Rafaqat رفاقت appeared. Nevertheless, these two apps weren’t revealed on Google Play.
The app’s login interface with the Pakistan nation code preselected might be seen in Determine 8.
Whereas the app requires a login utilizing a cellphone quantity upon launch, no quantity verification is applied, that means that the person can make use of any cellphone quantity to log in.
Rafaqat رفاقت can intercept notifications and exfiltrate the next:
- contacts, and
- information with particular extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).
Determine 9 exhibits the exfiltration of a obtained SMS message utilizing the permission to entry notifications.
Conclusion
ESET Analysis has found an espionage marketing campaign utilizing apps bundled with VajraSpy malware performed, with a excessive stage of confidence, by the Patchwork APT group. Some apps had been distributed through Google Play and in addition discovered, together with others, within the wild. Based mostly on the accessible numbers, the malicious apps that was once accessible on Google Play had been downloaded greater than 1,400 instances. A safety flaw in one of many apps additional revealed 148 compromised gadgets.
Based mostly on a number of indicators, the marketing campaign focused principally Pakistani customers: Rafaqat رفاقت, one of many malicious apps, used the identify of a well-liked Pakistani cricket participant because the developer identify on Google Play; the apps that requested a cellphone quantity upon account creation have the Pakistan nation code chosen by default; and most of the compromised gadgets found by way of the safety flaw had been situated in Pakistan.
To entice their victims, the menace actors doubtless used focused honey-trap romance scams, initially contacting the victims on one other platform after which convincing them to change to a trojanized chat utility. This was additionally reported within the Qihoo 360 analysis, the place menace actors began preliminary communication with victims through Fb Messenger and WhatsApp, then moved to a trojanized chat utility.
Cybercriminals wield social engineering as a robust weapon. We strongly suggest towards clicking any hyperlinks to obtain an utility which might be despatched in a chat dialog. It may be exhausting to remain resistant to spurious romantic advances, but it surely pays off to at all times be vigilant.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis affords non-public APT intelligence studies and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.
IoCs
Recordsdata
|
SHA-1 |
Bundle identify |
ESET detection identify |
Description |
|
BAF6583C54FC680AA6F71F3B694E71657A7A99D0 |
com.hi there.chat |
Android/Spy.VajraSpy.B |
VajraSpy trojan. |
|
846B83B7324DFE2B98264BAFAC24F15FD83C4115 |
com.chit.chat |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
5CFB6CF074FF729E544A65F2BCFE50814E4E1BD8 |
com.meeete.org |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
1B61DC3C2D2C222F92B84242F6FCB917D4BC5A61 |
com.nidus.no |
Android/Spy.Agent.BQH |
VajraSpy trojan. |
|
BCD639806A143BD52F0C3892FA58050E0EEEF401 |
com.rafaqat.information |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
137BA80E443610D9D733C160CCDB9870F3792FB8 |
com.tik.discuss |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
5F860D5201F9330291F25501505EBAB18F55F8DA |
com.wave.chat |
Android/Spy.VajraSpy.C |
VajraSpy trojan. |
|
3B27A62D77C5B82E7E6902632DA3A3E5EF98E743 |
com.priv.discuss |
Android/Spy.VajraSpy.C |
VajraSpy trojan. |
|
44E8F9D0CD935D0411B85409E146ACD10C80BF09 |
com.glow.glow |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
94DC9311B53C5D9CC5C40CD943C83B71BD75B18A |
com.letsm.chat |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
E0D73C035966C02DF7BCE66E6CE24E016607E62E |
com.nionio.org |
Android/Spy.VajraSpy.C |
VajraSpy trojan. |
|
235897BCB9C14EB159E4E74DE2BC952B3AD5B63A |
com.qqc.chat |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
8AB01840972223B314BF3C9D9ED3389B420F717F |
com.yoho.discuss |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
Community
|
IP |
Area |
Internet hosting supplier |
First seen |
Particulars |
|
34.120.160[.]131
|
hello-chat-c47ad-default-rtdb.firebaseio[.]com
chit-chat-e9053-default-rtdb.firebaseio[.]com
meetme-abc03-default-rtdb.firebaseio[.]com
chatapp-6b96e-default-rtdb.firebaseio[.]com
tiktalk-2fc98-default-rtdb.firebaseio[.]com
wave-chat-e52fe-default-rtdb.firebaseio[.]com
privchat-6cc58-default-rtdb.firebaseio[.]com
glowchat-33103-default-rtdb.firebaseio[.]com
letschat-5d5e3-default-rtdb.firebaseio[.]com
quick-chat-1d242-default-rtdb.firebaseio[.]com
yooho-c3345-default-rtdb.firebaseio[.]com |
Google LLC |
2022-04-01 |
VajraSpy C&C servers |
|
35.186.236[.]207
|
rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase[.]app
|
Google LLC |
2023-03-04 |
VajraSpy C&C server |
|
160.20.147[.]67
|
N/A |
aurologic GmbH |
2021-11-03 |
VajraSpy C&C server |
MITRE ATT&CK strategies
This desk was constructed utilizing version 14 of the MITRE ATT&CK framework.
|
Tactic |
ID |
Title |
Description |
|
Persistence |
Boot or Logon Initialization Scripts |
VajraSpy receives the BOOT_COMPLETED broadcast intent to activate at machine startup. |
|
|
Discovery |
File and Listing Discovery |
VajraSpy lists accessible information on exterior storage. |
|
|
System Community Configuration Discovery |
VajraSpy extracts the IMEI, IMSI, cellphone quantity, and nation code. |
||
|
System Data Discovery |
VajraSpy extracts details about the machine, together with SIM serial quantity, machine ID, and customary system info. |
||
|
Software program Discovery |
VajraSpy can get hold of an inventory of put in functions. |
||
|
Assortment |
Information from Native System |
VajraSpy exfiltrates information from the machine. |
|
|
Location Monitoring |
VajraSpy tracks machine location. |
||
|
Protected Consumer Information: Name Logs |
VajraSpy extracts name logs. |
||
|
Protected Consumer Information: Contact Record |
VajraSpy extracts the contact listing. |
||
|
Protected Consumer Information: SMS Messages |
VajraSpy extracts SMS messages. |
||
|
Entry Notifications |
VajraSpy can accumulate machine notifications. |
||
|
Audio Seize |
VajraSpy can document microphone audio and document calls. |
||
|
Video Seize |
VajraSpy can take footage utilizing the digital camera. |
||
|
Enter Seize: Keylogging |
VajraSpy can intercept all interactions between a person and the machine. |
||
|
Command and Management |
Software Layer Protocol: Net Protocols |
VajraSpy makes use of HTTPS to speak with its C&C server. |
|
|
Net Service: One-Approach Communication |
VajraSpy makes use of Google’s Firebase server as a C&C. |
||
|
Exfiltration |
Exfiltration Over C2 Channel |
VajraSpy exfiltrates knowledge utilizing HTTPS. |
|
|
Impression |
Information Manipulation |
VajraSpy removes information with particular extensions from the machine, and deletes all person name logs and the contact listing. |
