Sunday, July 14, 2024

New Android Malware on Google Play Disguised as Messaging or News Apps

Twelve malicious Android espionage applications have been discovered by researchers, with all of them executing a remote access trojan (RAT) code known as VajraSpy.

Six of them were discovered to be available on Google Play Store, whereas the other six were discovered with VirusTotal.

All of these applications share several similarities, such as messaging platform bundled with VajraSpy RAT code and developer certificate.

The date of upload of these applications was between April 2021 and March 2023. Among these applications, only one was found to be a new application that differed from the rest.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The earliest app was discovered to be Privee Talk, uploaded on April 1st, 2021, and the latest app was Wave Chat, which appeared in September 2023.

All of these applications combined had nearly 1400 installations. The list of malicious applications is as follows:

  • Rafaqat رفاقت 
  • Privee talk
  • MeetMe
  • Let’s Chat
  • Quick Chat
  • Chit Chat
  • TikTalk
  • Hello Chat
  • YohooTalk
  • Nidus
  • GlowChat
  • WaveChat
  • Click App
  • Crazy Talk
Login Screen malicious Chat Applications (Source: ESET)
Login Screen malicious Chat Applications (Source: ESET)

Android Malware on Google Play

According to the reports shared with Cyber Security News, VajraSpy is a customizable trojan that can be used to exfiltrate user data that uses the same class names on all malicious applications. 

Same malicious application classes (Source: ESET)
Same malicious application classes (Source: ESET)

Additionally, all observed applications shared the same worker classes for data exfiltration. However, the trojanized applications can be split into three groups as

  1. Trojanized messaging applications with basic functionalities
  2. Trojanized messaging applications with advanced functionalities
  3. Non-Messaging applications
Timeline of Applications (Source: ESET)
Timeline of Applications (Source: ESET)

Trojanized Messaging Applications

This group consists of malicious applications that were available on Google Play, such as MeetMe, Privee Talk, Let’s Chat, Quick Chat, GlowChat, and Chit Chat. It also includes Hello Chat, which wasn’t available on Google Play.

This group of applications has a standard messaging functionality and initially requires the creation of an account.

In addition, mobile number verification is also performed using OTP SMS codes. However, this is an irrelevant step as the VajraSpy is already running regardless of this step’s success.

Moreover, phone number verification is speculated to be performed by threat actors as a means of learning the victim’s country code.

All of the applications categorized under this group are capable of performing exfiltrating the following data.

  • Contacts,
  • SMS messages,
  • call logs,
  • device location,
  • a list of installed apps, and
  • files with specific extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).

Trojanized Messaging Applications

Trojanized messaging applications with advanced functionalities

This group consists of TikTalk, Nidus, YohooTalk, Crazy Talk, and Wave Chat applications. These applications perform extended capabilities such as intercepting WhatsApp, WhatsApp Business, and signal communication. 

Moreover, VajraSpy also logs any visible communications from these apps in the console and in the local database, which are uploaded to the Firebase-hosted C&C server. Apart from this, these applications can also intercept any device notifications.

One of the applications inside the group, Wave Chat, was found to have additional capabilities, such as:

  • record phone calls,
  • record calls from WhatsApp, WhatsApp Business, Signal, and Telegram,
  • log keystrokes,
  • take pictures using the camera,
  • record surrounding audio, and
  • scan for Wi-Fi networks.

Non-Messaging applications

As mentioned earlier, only the Rafaqat رفاقت application belongs to this group, which is the only non-chat application. Though this application asks for a phone number, no verification is performed. 

This application was also found to be capable of intercepting notifications and exfiltrateContacts and files with Specific extensions such as .pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus.

ESET reported that these applications have been published, providing detailed information about the source code, application analysis, malware analysis, and other information.

Indicators of Compromise


SHA-1Package nameESET detection nameDescription
BAF6583C54FC680AA6F71F3B694E71657A7A99D0com.hello.chatAndroid/Spy.VajraSpy.BVajraSpy trojan.
846B83B7324DFE2B98264BAFAC24F15FD83C4115com.chit.chatAndroid/Spy.VajraSpy.AVajraSpy trojan.
5CFB6CF074FF729E544A65F2BCFE50814E4E1BD8com.meeete.orgAndroid/Spy.VajraSpy.AVajraSpy trojan.
1B61DC3C2D2C222F92B84242F6FCB917D4BC5A61com.nidus.noAndroid/Spy.Agent.BQHVajraSpy trojan.
BCD639806A143BD52F0C3892FA58050E0EEEF401com.rafaqat.newsAndroid/Spy.VajraSpy.AVajraSpy trojan.
137BA80E443610D9D733C160CCDB9870F3792FB8com.tik.talkAndroid/Spy.VajraSpy.AVajraSpy trojan.
5F860D5201F9330291F25501505EBAB18F55F8DAcom.wave.chatAndroid/Spy.VajraSpy.CVajraSpy trojan.
3B27A62D77C5B82E7E6902632DA3A3E5EF98E743com.priv.talkAndroid/Spy.VajraSpy.CVajraSpy trojan.
44E8F9D0CD935D0411B85409E146ACD10C80BF09com.glow.glowAndroid/Spy.VajraSpy.AVajraSpy trojan.
94DC9311B53C5D9CC5C40CD943C83B71BD75B18Acom.letsm.chatAndroid/Spy.VajraSpy.AVajraSpy trojan.
E0D73C035966C02DF7BCE66E6CE24E016607E62Ecom.nionio.orgAndroid/Spy.VajraSpy.CVajraSpy trojan.
235897BCB9C14EB159E4E74DE2BC952B3AD5B63Acom.qqc.chatAndroid/Spy.VajraSpy.AVajraSpy trojan.
8AB01840972223B314BF3C9D9ED3389B420F717Fcom.yoho.talkAndroid/Spy.VajraSpy.AVajraSpy trojan.


IPDomainHosting providerFirst seenDetails
34.120.160[.]131hello-chat-c47ad-default-rtdb.firebaseio[.]comchit-chat-e9053-default-rtdb.firebaseio[.]commeetme-abc03-default-rtdb.firebaseio[.]comchatapp-6b96e-default-rtdb.firebaseio[.]comtiktalk-2fc98-default-rtdb.firebaseio[.]comwave-chat-e52fe-default-rtdb.firebaseio[.]comprivchat-6cc58-default-rtdb.firebaseio[.]comglowchat-33103-default-rtdb.firebaseio[.]comletschat-5d5e3-default-rtdb.firebaseio[.]comquick-chat-1d242-default-rtdb.firebaseio[.]comyooho-c3345-default-rtdb.firebaseio[.]comGoogle LLC2022-04-01VajraSpy C&C servers
35.186.236[.][.]appGoogle LLC2023-03-04VajraSpy C&C server
160.20.147[.]67N/Aaurologic GmbH2021-11-03VajraSpy C&C server

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles