A Patchwork of espionage apps


ESET researchers have recognized twelve Android espionage apps that share the identical malicious code: six have been out there on Google Play, and 6 have been discovered on VirusTotal. All of the noticed functions have been marketed as messaging instruments aside from one which posed as a information app. Within the background, these apps covertly execute distant entry trojan (RAT) code known as VajraSpy, used for focused espionage by the Patchwork APT group.

VajraSpy has a variety of espionage functionalities that may be expanded primarily based on the permissions granted to the app bundled with its code. It steals contacts, information, name logs, and SMS messages, however a few of its implementations may even extract WhatsApp and Sign messages, file cellphone calls, and take photos with the digicam.

In response to our analysis, this Patchwork APT marketing campaign focused customers principally in Pakistan.

Key factors of the report:

  • We found a brand new cyberespionage marketing campaign that, with a excessive stage of confidence, we attribute to the Patchwork APT group.
  • The marketing campaign leveraged Google Play to distribute six malicious apps bundled with VajraSpy RAT code; six extra have been distributed within the wild.
  • The apps on Google Play reached over 1,400 installs and are nonetheless out there on different app shops.
  • Poor operational safety round one of many apps allowed us to geolocate 148 compromised gadgets.

Overview

In January 2023, we detected a trojanized information app known as Rafaqat رفاقت (the Urdu phrase interprets to Fellowship) getting used to steal person info. Additional analysis uncovered a number of extra functions with the identical malicious code as Rafaqat رفاقت. A few of these apps shared the identical developer certificates and person interface. In complete, we analyzed 12 trojanized apps, six of which (together with Rafaqat رفاقت) had been out there on Google Play, and 6 of which have been discovered within the wild. The six malicious apps that had been out there on Google Play have been downloaded greater than 1,400 instances altogether.

Based mostly on our investigation, the menace actors behind the trojanized apps in all probability used a honey-trap romance rip-off to lure their victims into putting in the malware.

All of the apps that have been in some unspecified time in the future out there on Google Play had been uploaded there between April 2021 and March 2023. The primary of the apps to look was Privee Discuss, uploaded on April 1st, 2021, reaching round 15 installs. Then, in October 2022, it was adopted by MeetMe, Let’s Chat, Fast Chat, and Rafaqat رفاق, put in altogether over 1,000 instances. The final app out there on Google Play was Chit Chat, which appeared in March 2023 and reached greater than 100 installs.

The apps share a number of commonalities: most are messaging functions, and all are bundled with the VajraSpy RAT code. MeetMe and Chit Chat use an similar person login interface; see Determine 1. Moreover, the Whats up Chat (not out there on Google Play retailer) and Chit Chat apps have been signed by the identical distinctive developer certificates (SHA-1 fingerprint: 881541A1104AEDC7CEE504723BD5F63E15DB6420), which suggests the identical developer created them.

VajraSpy – Figure 1
Determine 1. Login display of Whats up Chat (left) and MeetMe and Chit Chat (proper)

Other than the apps that was out there on Google Play, six extra messaging functions have been uploaded to VirusTotal. Chronologically, YohooTalk was the primary to look there, in February 2022. The TikTalk app appeared on VirusTotal late in April 2022; nearly instantly afterward, MalwareHunterTeam on X (previously Twitter) shared it with the area the place it was out there for obtain (fich[.]buzz). Whats up Chat was uploaded in April 2023. Nidus and GlowChat have been uploaded there in July 2023, and lastly, Wave Chat in September 2023. These six trojanized apps include the identical malicious code as these discovered on Google Play.

Determine 2 exhibits the dates when every utility grew to become out there, both on Google Play or as a pattern on VirusTotal.

VajraSpy - Figure 2
Determine 2. Timeline displaying the dates when the trojanized apps grew to become out there

ESET is a member of the App Protection Alliance and an lively associate within the malware mitigation program, which goals to rapidly discover Probably Dangerous Functions (PHAs) and cease them earlier than they ever make it onto Google Play.

As a Google App Protection Alliance associate, ESET recognized Rafaqat رفاقت as malicious and promptly shared these findings with Google. At that cut-off date, Rafaqat رفاقت had already been faraway from the storefront. Different apps, on the time of sharing pattern with us, have been scanned and never flagged as malicious. All of the apps recognized within the report that have been on Google Play are not on out there on the Play retailer.

Victimology

Whereas ESET telemetry knowledge registered detections from Malaysia solely, we consider these have been solely incidental and didn’t represent the precise targets of the marketing campaign. Throughout our investigation, weak operational safety of one of many apps led to some sufferer knowledge being uncovered, which allowed us to geolocate 148 compromised gadgets in Pakistan and India. These have been probably the precise targets of the assaults.

One other clue pointing towards Pakistan is the identify of the developer used for the Google Play itemizing of the Rafaqat رفاقت app. The menace actors used the identify Mohammad Rizwan, which can also be the identify of one of the common cricket gamers from Pakistan. Rafaqat رفاقت and several other extra of those trojanized apps additionally had the Pakistani nation calling code chosen by default on their login display. In response to Google Translate, رفاقت means “fellowship” in Urdu. Urdu is certainly one of nationwide languages in Pakistan.

We consider the victims have been approached by way of a honey-trap romance rip-off the place the marketing campaign operators feigned romantic and/or sexual curiosity of their targets on one other platform, after which satisfied them to obtain these trojanized apps.

Attribution to Patchwork

The malicious code executed by the apps was first found in March 2022 by QiAnXin. They named it VajraSpy and attributed it to APT-Q-43. This APT group targets principally diplomatic and authorities entities.

In March 2023, Meta revealed its first quarter adversarial menace report that comprises their take down operation and ways, strategies and procedures (TTPs) of varied APT teams. The report contains take down operation carried out by Patchwork APT group that consists of faux social media accounts, Android malware hashes, and distribution vector. The Menace indicators part of that report contains samples that have been analyzed and reported by QiAnXin with the identical distribution domains.

In November 2023, Qihoo 360 independently revealed an article matching malicious apps described by Meta and this report, attributing them to VajraSpy malware operated by Hearth Demon Snake (APT-C-52), a brand new APT group.

Our evaluation of those apps revealed that all of them share the identical malicious code and belong to the identical malware household, VajraSpy.  Meta’s report contains extra complete info, which could give Meta higher visibility on the campaigns and likewise extra knowledge to establish the APT group. Due to that, we attributed VajraSpy to the Patchwork APT group.

Technical evaluation

VajraSpy is a customizable trojan often disguised as a messaging utility, used to exfiltrate person knowledge. We seen that the malware has been utilizing the identical class names throughout all its noticed situations, be they the samples discovered by ESET or by different researchers.

For example, Determine 3 exhibits a comparability of malicious courses of variants of VajraSpy malware. The screenshot on the left is an inventory of malicious courses present in Click on App found by Meta, the one within the center lists the malicious courses in MeetMe (found by ESET), and the screenshot on the precise exhibits the malicious courses in WaveChat, a malicious app discovered within the wild. All of the apps share the identical employee courses chargeable for knowledge exfiltration.

VajraSpy – Figure 3
Determine 3. The identical malicious courses in Click on (left), MeetMe (center), and WaveChat (proper) apps

Determine 4 and Determine 5 present the code chargeable for exfiltrating notifications from the Loopy Discuss app talked about in Meta’s report, and the Nidus app, respectively.

VajraSpy – Figure 4
Determine 4. Code chargeable for intercepting notifications within the Loopy Discuss app
VajraSpy – Figure 5
Determine 5. Code chargeable for intercepting notifications within the Nidus app

The extent of VajraSpy’s malicious functionalities varies primarily based on the permissions granted to the trojanized utility.

For simpler evaluation, we’ve got break up the trojanized apps into three teams.

Group One: trojanized messaging functions with fundamental functionalities

The primary group contains all of the trojanized messaging functions that was out there on Google Play, i.e., MeetMe, Privee Discuss, Let’s Chat, Fast Chat, GlowChat, and Chit Chat. It additionally contains Whats up Chat, which wasn’t out there on Google Play.

All of the functions on this group present customary messaging performance, however first, they require the person to create an account. Creating an account is dependent upon cellphone quantity verification by way of a one-time SMS code – if the cellphone quantity can’t be verified, the account won’t be created. Nonetheless, whether or not the account is created or not is usually irrelevant to the malware, as VajraSpy runs regardless. The one doable utility of getting the sufferer confirm the cellphone quantity could possibly be for the menace actors to be taught their sufferer’s nation code, however that is simply hypothesis on our half.

These apps share the identical malicious performance, being able to exfiltrating the next:

  • contacts,
  • SMS messages,
  • name logs,
  • machine location,
  • an inventory of put in apps, and
  • information with particular extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).

A few of the apps can exploit their permissions to entry notifications. If such permission is granted, VajraSpy can intercept acquired messages from any messaging utility, together with SMS messages.

Determine 6 exhibits an inventory of file extensions that VajraSpy is able to exfiltrating from a tool.

VajraSpy – Figure 6
Determine 6. File extensions of exfiltrated information

The operators behind the assaults used Firebase Internet hosting, an online content material internet hosting service, for the C&C server. Other than serving because the C&C, the server was additionally used to retailer the victims’ account info and exchanged messages. We reported the server to Google, since they supply Firebase.

Group Two: trojanized messaging functions with superior functionalities

Group two consists of TikTalk, Nidus, YohooTalk, and Wave Chat, in addition to the situations of VajraSpy malware described in different analysis items, comparable to Loopy Discuss (lined by Meta and QiAnXin).

As with these in Group One, these apps ask the potential sufferer to create an account and confirm their cellphone quantity utilizing a one-time SMS code. The account gained’t be created if the cellphone quantity just isn’t verified, however VajraSpy will run anyway.

The apps on this group possess expanded capabilities in comparison with these in Group One. Along with the primary group’s functionalities, these apps are capable of exploit built-in accessibility choices to intercept WhatsApp, WhatsApp Enterprise, and Sign communication. VajraSpy logs any seen communication from these apps within the console and within the native database, and subsequently uploads it to the Firebase-hosted C&C server. For example, Determine 7 depicts the malware logging WhatsApp communication in actual time.

VajraSpy – Figure 7
Determine 7. Person opened WhatsApp chat (left), and VajraSpy logged and sotred all seen textual content (proper)

Moreover, their prolonged capabilities permit them to spy on chat communications and intercept notifications. All in all, the Group Two apps are able to exfiltrating the next along with these that may be exfiltrated by Group One apps:

  • acquired notifications, and
  • exchanged messages in WhatsApp, WhatsApp Enterprise, and Sign.

One of many apps on this group, Wave Chat, has much more malicious capabilities on prime of these we’ve got already lined. It additionally behaves in another way upon preliminary launch, asking the person to permit accessibility companies. As soon as allowed, these companies robotically allow all the required permissions on the person’s behalf, increasing the scope of VajraSpy’s entry to the machine. Along with the beforehand talked about malicious performance, Wave Chat also can:

  • file cellphone calls,
  • file calls from WhatsApp, WhatsApp Enterprise, Sign, and Telegram,
  • log keystrokes,
  • take photos utilizing the digicam,
  • file surrounding audio, and
  • scan for Wi-Fi networks.

Wave Chat can obtain a C&C command to take an image utilizing the digicam, and one other command to file audio, both for 60 seconds (by default) or for the period of time specified within the server response. The captured knowledge is then exfiltrated to the C&C by way of POST requests.

To obtain instructions and retailer person messages, SMS messages, and the contact listing, Wave Chat makes use of a Firebase server. For different exfiltrated knowledge, it makes use of a distinct C&C server and a shopper primarily based on an open-source venture known as Retrofit. Retrofit is an Android REST shopper in Java that makes it simple to retrieve and add knowledge by way of a REST-based internet service. VajraSpy makes use of it to add person knowledge unencrypted to the C&C server by way of HTTP.

Group Three: non-messaging functions

To this point, the one utility that belongs to this group is the one which kicked off this analysis within the first place – Rafaqat رفاقت. It’s the solely VajraSpy utility that isn’t used for messaging, and is ostensibly used to ship the newest information. Since information apps don’t have to request intrusive permissions comparable to entry to SMS messages or name logs, the malicious capabilities of Rafaqat رفاقت are restricted when in comparison with the opposite analyzed functions.

Rafaqat رفاقت was uploaded to Google Play on October 26th, 2022 by a developer going by the identify Mohammad Rizwan, which can also be the identify of one of the common Pakistani cricket gamers. The applying reached over a thousand installs earlier than being faraway from the Google Play retailer.

Apparently, the identical developer submitted two extra apps with an similar identify and malicious code for add to Google Play some weeks earlier than Rafaqat رفاقت appeared. Nonetheless, these two apps weren’t revealed on Google Play.

The app’s login interface with the Pakistan nation code preselected could be seen in Determine 8.

VajraSpy – Figure 8
Determine 8. Login display for the Rafaqat رفاقت app

Whereas the app requires a login utilizing a cellphone quantity upon launch, no quantity verification is applied, which means that the person can make use of any cellphone quantity to log in.

Rafaqat رفاقت can intercept notifications and exfiltrate the next:

  • contacts, and
  • information with particular extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).

Determine 9 exhibits the exfiltration of a acquired SMS message utilizing the permission to entry notifications.

VajraSpy – Figure 9
Determine 9. Exfiltration of a person notification (for a acquired SMS message)

Conclusion

ESET Analysis has found an espionage marketing campaign utilizing apps bundled with VajraSpy malware carried out, with a excessive stage of confidence, by the Patchwork APT group. Some apps have been distributed by way of Google Play and likewise discovered, together with others, within the wild. Based mostly on the out there numbers, the malicious apps that was out there on Google Play have been downloaded greater than 1,400 instances. A safety flaw in one of many apps additional revealed 148 compromised gadgets.

Based mostly on a number of indicators, the marketing campaign focused principally Pakistani customers: Rafaqat رفاقت, one of many malicious apps, used the identify of a preferred Pakistani cricket participant because the developer identify on Google Play; the apps that requested a cellphone quantity upon account creation have the Pakistan nation code chosen by default; and most of the compromised gadgets found by means of the safety flaw have been situated in Pakistan.

To entice their victims, the menace actors probably used focused honey-trap romance scams, initially contacting the victims on one other platform after which convincing them to modify to a trojanized chat utility. This was additionally reported within the Qihoo 360 analysis, the place menace actors began preliminary communication with victims by way of Fb Messenger and WhatsApp, then moved to a trojanized chat utility.

Cybercriminals wield social engineering as a robust weapon. We strongly advocate towards clicking any hyperlinks to obtain an utility which can be despatched in a chat dialog. It may be exhausting to remain resistant to spurious romantic advances, however it pays off to at all times be vigilant.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Analysis affords non-public APT intelligence studies and knowledge feeds. For any inquiries about this service, go to the ESET Menace Intelligence web page.

IoCs

Recordsdata

SHA-1

Package deal identify

ESET detection identify

Description

BAF6583C54FC680AA6F71F3B694E71657A7A99D0

com.whats up.chat

Android/Spy.VajraSpy.B

VajraSpy trojan.

846B83B7324DFE2B98264BAFAC24F15FD83C4115

com.chit.chat

Android/Spy.VajraSpy.A

VajraSpy trojan.

5CFB6CF074FF729E544A65F2BCFE50814E4E1BD8

com.meeete.org

Android/Spy.VajraSpy.A

VajraSpy trojan.

1B61DC3C2D2C222F92B84242F6FCB917D4BC5A61

com.nidus.no

Android/Spy.Agent.BQH

VajraSpy trojan.

BCD639806A143BD52F0C3892FA58050E0EEEF401

com.rafaqat.information

Android/Spy.VajraSpy.A

VajraSpy trojan.

137BA80E443610D9D733C160CCDB9870F3792FB8

com.tik.discuss

Android/Spy.VajraSpy.A

VajraSpy trojan.

5F860D5201F9330291F25501505EBAB18F55F8DA

com.wave.chat

Android/Spy.VajraSpy.C

VajraSpy trojan.

3B27A62D77C5B82E7E6902632DA3A3E5EF98E743

com.priv.discuss

Android/Spy.VajraSpy.C

VajraSpy trojan.

44E8F9D0CD935D0411B85409E146ACD10C80BF09

com.glow.glow

Android/Spy.VajraSpy.A

VajraSpy trojan.

94DC9311B53C5D9CC5C40CD943C83B71BD75B18A

com.letsm.chat

Android/Spy.VajraSpy.A

VajraSpy trojan.

E0D73C035966C02DF7BCE66E6CE24E016607E62E

com.nionio.org

Android/Spy.VajraSpy.C

VajraSpy trojan.

235897BCB9C14EB159E4E74DE2BC952B3AD5B63A

com.qqc.chat

Android/Spy.VajraSpy.A

VajraSpy trojan.

8AB01840972223B314BF3C9D9ED3389B420F717F

com.yoho.discuss

Android/Spy.VajraSpy.A

VajraSpy trojan.

Community

IP

Area

Internet hosting supplier

First seen

Particulars

34.120.160[.]131

hello-chat-c47ad-default-rtdb.firebaseio[.]com

chit-chat-e9053-default-rtdb.firebaseio[.]com

meetme-abc03-default-rtdb.firebaseio[.]com

chatapp-6b96e-default-rtdb.firebaseio[.]com

tiktalk-2fc98-default-rtdb.firebaseio[.]com

wave-chat-e52fe-default-rtdb.firebaseio[.]com

privchat-6cc58-default-rtdb.firebaseio[.]com

glowchat-33103-default-rtdb.firebaseio[.]com

letschat-5d5e3-default-rtdb.firebaseio[.]com

quick-chat-1d242-default-rtdb.firebaseio[.]com

yooho-c3345-default-rtdb.firebaseio[.]com

Google LLC

2022-04-01

VajraSpy C&C servers

35.186.236[.]207

rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase[.]app

Google LLC

2023-03-04

VajraSpy C&C server

160.20.147[.]67

N/A

aurologic GmbH

2021-11-03

VajraSpy C&C server

MITRE ATT&CK strategies

This desk was constructed utilizing model 14 of the MITRE ATT&CK framework.

Tactic

ID

Title

Description

Persistence

T1398

Boot or Logon Initialization Scripts

VajraSpy receives the BOOT_COMPLETED broadcast intent to activate at machine startup.

Discovery

T1420

File and Listing Discovery

VajraSpy lists out there information on exterior storage.

T1422

System Community Configuration Discovery

VajraSpy extracts the IMEI, IMSI, cellphone quantity, and nation code.

T1426

System Info Discovery

VajraSpy extracts details about the machine, together with SIM serial quantity, machine ID, and customary system info.

T1418

Software program Discovery

VajraSpy can acquire an inventory of put in functions.

Assortment

T1533

Knowledge from Native System

VajraSpy exfiltrates information from the machine.

T1430

Location Monitoring

VajraSpy tracks machine location.

T1636.002

Protected Person Knowledge: Name Logs

VajraSpy extracts name logs.

T1636.003

Protected Person Knowledge: Contact Checklist

VajraSpy extracts the contact listing.

T1636.004

Protected Person Knowledge: SMS Messages

VajraSpy extracts SMS messages.

T1517

Entry Notifications

VajraSpy can acquire machine notifications.

T1429

Audio Seize

VajraSpy can file microphone audio and file calls.

T1512

Video Seize

VajraSpy can take photos utilizing the digicam.

T1417.001

Enter Seize: Keylogging

VajraSpy can intercept all interactions between a person and the machine.

Command and Management

T1437.001

Software Layer Protocol: Internet Protocols

VajraSpy makes use of HTTPS to speak with its C&C server.

T1481.003

Internet Service: One-Means Communication

VajraSpy makes use of Google’s Firebase server as a C&C.

Exfiltration

T1646

Exfiltration Over C2 Channel

VajraSpy exfiltrates knowledge utilizing HTTPS.

Impression

T1641

Knowledge Manipulation

VajraSpy removes information with particular extensions from the machine, and deletes all person name logs and the contact listing.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top