The Patchwork threat actor, an Indian APT group known for their use of romance scam lures, has been targeting victims in Pakistan and India with Android espionage apps. These apps were distributed through the official Google Play Store, with six of them available for download between April 2021 and March 2023.
Description
Slovak cybersecurity firm ESET discovered a total of 12 espionage apps [7], which were downloaded over 1,400 times [1] [2] [4] [7] [8]. These apps were infected with the VajraSpy remote access trojan (RAT), capable of stealing contacts, files [1] [2] [3] [7] [8], call logs [1] [3] [7] [8], SMS messages [1] [3] [7] [8], WhatsApp and Signal messages [1] [2] [3] [7] [8], recording phone calls [1] [2] [6] [7] [8], and taking pictures with the camera [7]. The exact distribution method for the malware is unclear [7], but it is believed that victims were tricked into downloading the apps as part of a romance scam [7]. Patchwork has a history of using similar techniques, including creating fictitious personas on social media to share links to rogue apps [7]. The VajraSpy malware has also been observed in previous campaigns targeting Pakistani government and military entities [7]. The threat actor behind the malware has been identified as Fire Demon Snake (aka APT-C-52) by Qihoo 360 [7]. Additionally, Nepalese government entities have likely been targeted through a phishing campaign [7].
In a separate incident, financially motivated threat actors from Pakistan and India have been extorting Indian Android users with a fake loan app [7]. They then threaten victims with the distribution of doctored photos unless a payment is made [7]. This incident is part of a broader trend of predatory loan apps targeting individuals and employing blackmail and harassment tactics [7].
Furthermore, a Nigeria-based cybercriminal group known as Yahoo Boys is increasingly targeting teenagers from Australia, Canada [7], and the US with financial sextortion attacks on social media platforms.
Conclusion
The Patchwork APT group’s espionage campaign [3], involving the use of Android espionage apps bundled with the VajraSpy RAT, highlights the evolving tactics used by cybercriminals [3]. It emphasizes the importance of vigilance and caution when downloading applications [3]. To protect against Android malware, it is recommended to limit the number of apps on your smartphone and stick to official app stores [5]. Google Play Protect scans apps for malware [5], but antivirus apps can provide extra security [5]. These incidents also underscore the need for increased awareness and education to mitigate the risks posed by cyber threats.
References
[1] https://www.cxoinsightme.com/news/eset-research-discovers-espionage-apps-on-the-attack-in-pakistan-utilising-romance-scams/
[2] https://www.darkreading.com/endpoint-security/google-play-spread-patchwork-apt-espionage-apps
[3] https://securityonline.info/the-hidden-threat-android-apps-with-vajraspy-rat-exposed/
[4] https://cyber.vumetric.com/security-news/2024/02/05/patchwork-using-romance-scam-lures-to-infect-android-devices-with-vajraspy-malware/
[5] https://www.tomsguide.com/computing/malware-adware/malicious-messaging-apps-used-to-spread-malware-on-google-play-delete-these-right-now
[6] https://www.redpacketsecurity.com/more-android-apps-riddled-with-malware-spotted-on-google-play/
[7] https://thehackernews.com/2024/02/patchwork-using-romance-scam-lures-to.html
[8] https://securitymea.com/2024/02/05/eset-research-discovers-espionage-apps-on-the-attack-in-pakistan/
