ESET researchers have recognized twelve Android espionage apps that share the identical malicious code: six have been out there on Google Play, and 6 have been discovered on VirusTotal. All of the noticed functions have been marketed as messaging instruments aside from one which posed as a information app. Within the background, these apps covertly execute distant entry trojan (RAT) code known as VajraSpy, used for focused espionage by the Patchwork APT group.
VajraSpy has a variety of espionage functionalities that may be expanded primarily based on the permissions granted to the app bundled with its code. It steals contacts, information, name logs, and SMS messages, however a few of its implementations may even extract WhatsApp and Sign messages, file cellphone calls, and take photos with the digicam.
In response to our analysis, this Patchwork APT marketing campaign focused customers principally in Pakistan.
Key factors of the report:
- We found a brand new cyberespionage marketing campaign that, with a excessive stage of confidence, we attribute to the Patchwork APT group.
- The marketing campaign leveraged Google Play to distribute six malicious apps bundled with VajraSpy RAT code; six extra have been distributed within the wild.
- The apps on Google Play reached over 1,400 installs and are nonetheless out there on different app shops.
- Poor operational safety round one of many apps allowed us to geolocate 148 compromised gadgets.
Overview
In January 2023, we detected a trojanized information app known as Rafaqat رفاقت (the Urdu phrase interprets to Fellowship) getting used to steal person info. Additional analysis uncovered a number of extra functions with the identical malicious code as Rafaqat رفاقت. A few of these apps shared the identical developer certificates and person interface. In complete, we analyzed 12 trojanized apps, six of which (together with Rafaqat رفاقت) had been out there on Google Play, and 6 of which have been discovered within the wild. The six malicious apps that had been out there on Google Play have been downloaded greater than 1,400 instances altogether.
Based mostly on our investigation, the menace actors behind the trojanized apps in all probability used a honey-trap romance rip-off to lure their victims into putting in the malware.
All of the apps that have been in some unspecified time in the future out there on Google Play had been uploaded there between April 2021 and March 2023. The primary of the apps to look was Privee Discuss, uploaded on April 1st, 2021, reaching round 15 installs. Then, in October 2022, it was adopted by MeetMe, Let’s Chat, Fast Chat, and Rafaqat رفاق, put in altogether over 1,000 instances. The final app out there on Google Play was Chit Chat, which appeared in March 2023 and reached greater than 100 installs.
The apps share a number of commonalities: most are messaging functions, and all are bundled with the VajraSpy RAT code. MeetMe and Chit Chat use an similar person login interface; see Determine 1. Moreover, the Whats up Chat (not out there on Google Play retailer) and Chit Chat apps have been signed by the identical distinctive developer certificates (SHA-1 fingerprint: 881541A1104AEDC7CEE504723BD5F63E15DB6420), which suggests the identical developer created them.
Other than the apps that was out there on Google Play, six extra messaging functions have been uploaded to VirusTotal. Chronologically, YohooTalk was the primary to look there, in February 2022. The TikTalk app appeared on VirusTotal late in April 2022; nearly instantly afterward, MalwareHunterTeam on X (previously Twitter) shared it with the area the place it was out there for obtain (fich[.]buzz). Whats up Chat was uploaded in April 2023. Nidus and GlowChat have been uploaded there in July 2023, and lastly, Wave Chat in September 2023. These six trojanized apps include the identical malicious code as these discovered on Google Play.
Determine 2 exhibits the dates when every utility grew to become out there, both on Google Play or as a pattern on VirusTotal.
ESET is a member of the App Protection Alliance and an lively associate within the malware mitigation program, which goals to rapidly discover Probably Dangerous Functions (PHAs) and cease them earlier than they ever make it onto Google Play.
As a Google App Protection Alliance associate, ESET recognized Rafaqat رفاقت as malicious and promptly shared these findings with Google. At that cut-off date, Rafaqat رفاقت had already been faraway from the storefront. Different apps, on the time of sharing pattern with us, have been scanned and never flagged as malicious. All of the apps recognized within the report that have been on Google Play are not on out there on the Play retailer.
Victimology
Whereas ESET telemetry knowledge registered detections from Malaysia solely, we consider these have been solely incidental and didn’t represent the precise targets of the marketing campaign. Throughout our investigation, weak operational safety of one of many apps led to some sufferer knowledge being uncovered, which allowed us to geolocate 148 compromised gadgets in Pakistan and India. These have been probably the precise targets of the assaults.
One other clue pointing towards Pakistan is the identify of the developer used for the Google Play itemizing of the Rafaqat رفاقت app. The menace actors used the identify Mohammad Rizwan, which can also be the identify of one of the common cricket gamers from Pakistan. Rafaqat رفاقت and several other extra of those trojanized apps additionally had the Pakistani nation calling code chosen by default on their login display. In response to Google Translate, رفاقت means “fellowship” in Urdu. Urdu is certainly one of nationwide languages in Pakistan.
We consider the victims have been approached by way of a honey-trap romance rip-off the place the marketing campaign operators feigned romantic and/or sexual curiosity of their targets on one other platform, after which satisfied them to obtain these trojanized apps.
Attribution to Patchwork
The malicious code executed by the apps was first found in March 2022 by QiAnXin. They named it VajraSpy and attributed it to APT-Q-43. This APT group targets principally diplomatic and authorities entities.
In March 2023, Meta revealed its first quarter adversarial menace report that comprises their take down operation and ways, strategies and procedures (TTPs) of varied APT teams. The report contains take down operation carried out by Patchwork APT group that consists of faux social media accounts, Android malware hashes, and distribution vector. The Menace indicators part of that report contains samples that have been analyzed and reported by QiAnXin with the identical distribution domains.
In November 2023, Qihoo 360 independently revealed an article matching malicious apps described by Meta and this report, attributing them to VajraSpy malware operated by Hearth Demon Snake (APT-C-52), a brand new APT group.
Our evaluation of those apps revealed that all of them share the identical malicious code and belong to the identical malware household, VajraSpy. Meta’s report contains extra complete info, which could give Meta higher visibility on the campaigns and likewise extra knowledge to establish the APT group. Due to that, we attributed VajraSpy to the Patchwork APT group.
Technical evaluation
VajraSpy is a customizable trojan often disguised as a messaging utility, used to exfiltrate person knowledge. We seen that the malware has been utilizing the identical class names throughout all its noticed situations, be they the samples discovered by ESET or by different researchers.
For example, Determine 3 exhibits a comparability of malicious courses of variants of VajraSpy malware. The screenshot on the left is an inventory of malicious courses present in Click on App found by Meta, the one within the center lists the malicious courses in MeetMe (found by ESET), and the screenshot on the precise exhibits the malicious courses in WaveChat, a malicious app discovered within the wild. All of the apps share the identical employee courses chargeable for knowledge exfiltration.
Determine 4 and Determine 5 present the code chargeable for exfiltrating notifications from the Loopy Discuss app talked about in Meta’s report, and the Nidus app, respectively.
The extent of VajraSpy’s malicious functionalities varies primarily based on the permissions granted to the trojanized utility.
For simpler evaluation, we’ve got break up the trojanized apps into three teams.
Group One: trojanized messaging functions with fundamental functionalities
The primary group contains all of the trojanized messaging functions that was out there on Google Play, i.e., MeetMe, Privee Discuss, Let’s Chat, Fast Chat, GlowChat, and Chit Chat. It additionally contains Whats up Chat, which wasn’t out there on Google Play.
All of the functions on this group present customary messaging performance, however first, they require the person to create an account. Creating an account is dependent upon cellphone quantity verification by way of a one-time SMS code – if the cellphone quantity can’t be verified, the account won’t be created. Nonetheless, whether or not the account is created or not is usually irrelevant to the malware, as VajraSpy runs regardless. The one doable utility of getting the sufferer confirm the cellphone quantity could possibly be for the menace actors to be taught their sufferer’s nation code, however that is simply hypothesis on our half.
These apps share the identical malicious performance, being able to exfiltrating the next:
- contacts,
- SMS messages,
- name logs,
- machine location,
- an inventory of put in apps, and
- information with particular extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).
A few of the apps can exploit their permissions to entry notifications. If such permission is granted, VajraSpy can intercept acquired messages from any messaging utility, together with SMS messages.
Determine 6 exhibits an inventory of file extensions that VajraSpy is able to exfiltrating from a tool.
The operators behind the assaults used Firebase Internet hosting, an online content material internet hosting service, for the C&C server. Other than serving because the C&C, the server was additionally used to retailer the victims’ account info and exchanged messages. We reported the server to Google, since they supply Firebase.
Group Two: trojanized messaging functions with superior functionalities
Group two consists of TikTalk, Nidus, YohooTalk, and Wave Chat, in addition to the situations of VajraSpy malware described in different analysis items, comparable to Loopy Discuss (lined by Meta and QiAnXin).
As with these in Group One, these apps ask the potential sufferer to create an account and confirm their cellphone quantity utilizing a one-time SMS code. The account gained’t be created if the cellphone quantity just isn’t verified, however VajraSpy will run anyway.
The apps on this group possess expanded capabilities in comparison with these in Group One. Along with the primary group’s functionalities, these apps are capable of exploit built-in accessibility choices to intercept WhatsApp, WhatsApp Enterprise, and Sign communication. VajraSpy logs any seen communication from these apps within the console and within the native database, and subsequently uploads it to the Firebase-hosted C&C server. For example, Determine 7 depicts the malware logging WhatsApp communication in actual time.
Moreover, their prolonged capabilities permit them to spy on chat communications and intercept notifications. All in all, the Group Two apps are able to exfiltrating the next along with these that may be exfiltrated by Group One apps:
- acquired notifications, and
- exchanged messages in WhatsApp, WhatsApp Enterprise, and Sign.
One of many apps on this group, Wave Chat, has much more malicious capabilities on prime of these we’ve got already lined. It additionally behaves in another way upon preliminary launch, asking the person to permit accessibility companies. As soon as allowed, these companies robotically allow all the required permissions on the person’s behalf, increasing the scope of VajraSpy’s entry to the machine. Along with the beforehand talked about malicious performance, Wave Chat also can:
- file cellphone calls,
- file calls from WhatsApp, WhatsApp Enterprise, Sign, and Telegram,
- log keystrokes,
- take photos utilizing the digicam,
- file surrounding audio, and
- scan for Wi-Fi networks.
Wave Chat can obtain a C&C command to take an image utilizing the digicam, and one other command to file audio, both for 60 seconds (by default) or for the period of time specified within the server response. The captured knowledge is then exfiltrated to the C&C by way of POST requests.
To obtain instructions and retailer person messages, SMS messages, and the contact listing, Wave Chat makes use of a Firebase server. For different exfiltrated knowledge, it makes use of a distinct C&C server and a shopper primarily based on an open-source venture known as Retrofit. Retrofit is an Android REST shopper in Java that makes it simple to retrieve and add knowledge by way of a REST-based internet service. VajraSpy makes use of it to add person knowledge unencrypted to the C&C server by way of HTTP.
Group Three: non-messaging functions
To this point, the one utility that belongs to this group is the one which kicked off this analysis within the first place – Rafaqat رفاقت. It’s the solely VajraSpy utility that isn’t used for messaging, and is ostensibly used to ship the newest information. Since information apps don’t have to request intrusive permissions comparable to entry to SMS messages or name logs, the malicious capabilities of Rafaqat رفاقت are restricted when in comparison with the opposite analyzed functions.
Rafaqat رفاقت was uploaded to Google Play on October 26th, 2022 by a developer going by the identify Mohammad Rizwan, which can also be the identify of one of the common Pakistani cricket gamers. The applying reached over a thousand installs earlier than being faraway from the Google Play retailer.
Apparently, the identical developer submitted two extra apps with an similar identify and malicious code for add to Google Play some weeks earlier than Rafaqat رفاقت appeared. Nonetheless, these two apps weren’t revealed on Google Play.
The app’s login interface with the Pakistan nation code preselected could be seen in Determine 8.
Whereas the app requires a login utilizing a cellphone quantity upon launch, no quantity verification is applied, which means that the person can make use of any cellphone quantity to log in.
Rafaqat رفاقت can intercept notifications and exfiltrate the next:
- contacts, and
- information with particular extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).
Determine 9 exhibits the exfiltration of a acquired SMS message utilizing the permission to entry notifications.
Conclusion
ESET Analysis has found an espionage marketing campaign utilizing apps bundled with VajraSpy malware carried out, with a excessive stage of confidence, by the Patchwork APT group. Some apps have been distributed by way of Google Play and likewise discovered, together with others, within the wild. Based mostly on the out there numbers, the malicious apps that was out there on Google Play have been downloaded greater than 1,400 instances. A safety flaw in one of many apps additional revealed 148 compromised gadgets.
Based mostly on a number of indicators, the marketing campaign focused principally Pakistani customers: Rafaqat رفاقت, one of many malicious apps, used the identify of a preferred Pakistani cricket participant because the developer identify on Google Play; the apps that requested a cellphone quantity upon account creation have the Pakistan nation code chosen by default; and most of the compromised gadgets found by means of the safety flaw have been situated in Pakistan.
To entice their victims, the menace actors probably used focused honey-trap romance scams, initially contacting the victims on one other platform after which convincing them to modify to a trojanized chat utility. This was additionally reported within the Qihoo 360 analysis, the place menace actors began preliminary communication with victims by way of Fb Messenger and WhatsApp, then moved to a trojanized chat utility.
Cybercriminals wield social engineering as a robust weapon. We strongly advocate towards clicking any hyperlinks to obtain an utility which can be despatched in a chat dialog. It may be exhausting to remain resistant to spurious romantic advances, however it pays off to at all times be vigilant.
For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis affords non-public APT intelligence studies and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.
IoCs
Recordsdata
|
SHA-1 |
Package deal identify |
ESET detection identify |
Description |
|
BAF6583C54FC680AA6F71F3B694E71657A7A99D0 |
com.whats up.chat |
Android/Spy.VajraSpy.B |
VajraSpy trojan. |
|
846B83B7324DFE2B98264BAFAC24F15FD83C4115 |
com.chit.chat |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
5CFB6CF074FF729E544A65F2BCFE50814E4E1BD8 |
com.meeete.org |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
1B61DC3C2D2C222F92B84242F6FCB917D4BC5A61 |
com.nidus.no |
Android/Spy.Agent.BQH |
VajraSpy trojan. |
|
BCD639806A143BD52F0C3892FA58050E0EEEF401 |
com.rafaqat.information |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
137BA80E443610D9D733C160CCDB9870F3792FB8 |
com.tik.discuss |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
5F860D5201F9330291F25501505EBAB18F55F8DA |
com.wave.chat |
Android/Spy.VajraSpy.C |
VajraSpy trojan. |
|
3B27A62D77C5B82E7E6902632DA3A3E5EF98E743 |
com.priv.discuss |
Android/Spy.VajraSpy.C |
VajraSpy trojan. |
|
44E8F9D0CD935D0411B85409E146ACD10C80BF09 |
com.glow.glow |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
94DC9311B53C5D9CC5C40CD943C83B71BD75B18A |
com.letsm.chat |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
E0D73C035966C02DF7BCE66E6CE24E016607E62E |
com.nionio.org |
Android/Spy.VajraSpy.C |
VajraSpy trojan. |
|
235897BCB9C14EB159E4E74DE2BC952B3AD5B63A |
com.qqc.chat |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
|
8AB01840972223B314BF3C9D9ED3389B420F717F |
com.yoho.discuss |
Android/Spy.VajraSpy.A |
VajraSpy trojan. |
Community
|
IP |
Area |
Internet hosting supplier |
First seen |
Particulars |
|
34.120.160[.]131
|
hello-chat-c47ad-default-rtdb.firebaseio[.]com
chit-chat-e9053-default-rtdb.firebaseio[.]com
meetme-abc03-default-rtdb.firebaseio[.]com
chatapp-6b96e-default-rtdb.firebaseio[.]com
tiktalk-2fc98-default-rtdb.firebaseio[.]com
wave-chat-e52fe-default-rtdb.firebaseio[.]com
privchat-6cc58-default-rtdb.firebaseio[.]com
glowchat-33103-default-rtdb.firebaseio[.]com
letschat-5d5e3-default-rtdb.firebaseio[.]com
quick-chat-1d242-default-rtdb.firebaseio[.]com
yooho-c3345-default-rtdb.firebaseio[.]com |
Google LLC |
2022-04-01 |
VajraSpy C&C servers |
|
35.186.236[.]207
|
rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase[.]app
|
Google LLC |
2023-03-04 |
VajraSpy C&C server |
|
160.20.147[.]67
|
N/A |
aurologic GmbH |
2021-11-03 |
VajraSpy C&C server |
MITRE ATT&CK strategies
This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.
|
Tactic |
ID |
Title |
Description |
|
Persistence |
Boot or Logon Initialization Scripts |
VajraSpy receives the BOOT_COMPLETED broadcast intent to activate at machine startup. |
|
|
Discovery |
File and Listing Discovery |
VajraSpy lists out there information on exterior storage. |
|
|
System Community Configuration Discovery |
VajraSpy extracts the IMEI, IMSI, cellphone quantity, and nation code. |
||
|
System Info Discovery |
VajraSpy extracts details about the machine, together with SIM serial quantity, machine ID, and customary system info. |
||
|
Software program Discovery |
VajraSpy can acquire an inventory of put in functions. |
||
|
Assortment |
Knowledge from Native System |
VajraSpy exfiltrates information from the machine. |
|
|
Location Monitoring |
VajraSpy tracks machine location. |
||
|
Protected Person Knowledge: Name Logs |
VajraSpy extracts name logs. |
||
|
Protected Person Knowledge: Contact Checklist |
VajraSpy extracts the contact listing. |
||
|
Protected Person Knowledge: SMS Messages |
VajraSpy extracts SMS messages. |
||
|
Entry Notifications |
VajraSpy can acquire machine notifications. |
||
|
Audio Seize |
VajraSpy can file microphone audio and file calls. |
||
|
Video Seize |
VajraSpy can take photos utilizing the digicam. |
||
|
Enter Seize: Keylogging |
VajraSpy can intercept all interactions between a person and the machine. |
||
|
Command and Management |
Software Layer Protocol: Internet Protocols |
VajraSpy makes use of HTTPS to speak with its C&C server. |
|
|
Internet Service: One-Means Communication |
VajraSpy makes use of Google’s Firebase server as a C&C. |
||
|
Exfiltration |
Exfiltration Over C2 Channel |
VajraSpy exfiltrates knowledge utilizing HTTPS. |
|
|
Impression |
Knowledge Manipulation |
VajraSpy removes information with particular extensions from the machine, and deletes all person name logs and the contact listing. |
