Twelve malicious Android espionage applications have been discovered by researchers, with all of them executing a remote access trojan (RAT) code known as VajraSpy.
Six of them were discovered to be available on Google Play Store, whereas the other six were discovered with VirusTotal.
All of these applications share several similarities, such as messaging platform bundled with VajraSpy RAT code and developer certificate.
The date of upload of these applications was between April 2021 and March 2023. Among these applications, only one was found to be a new application that differed from the rest.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
The earliest app was discovered to be Privee Talk, uploaded on April 1st, 2021, and the latest app was Wave Chat, which appeared in September 2023.
All of these applications combined had nearly 1400 installations. The list of malicious applications is as follows:
According to the reports shared with Cyber Security News, VajraSpy is a customizable trojan that can be used to exfiltrate user data that uses the same class names on all malicious applications.
Additionally, all observed applications shared the same worker classes for data exfiltration. However, the trojanized applications can be split into three groups as
This group consists of malicious applications that were available on Google Play, such as MeetMe, Privee Talk, Let’s Chat, Quick Chat, GlowChat, and Chit Chat. It also includes Hello Chat, which wasn’t available on Google Play.
This group of applications has a standard messaging functionality and initially requires the creation of an account.
In addition, mobile number verification is also performed using OTP SMS codes. However, this is an irrelevant step as the VajraSpy is already running regardless of this step’s success.
Moreover, phone number verification is speculated to be performed by threat actors as a means of learning the victim’s country code.
All of the applications categorized under this group are capable of performing exfiltrating the following data.
Trojanized messaging applications with advanced functionalities
This group consists of TikTalk, Nidus, YohooTalk, Crazy Talk, and Wave Chat applications. These applications perform extended capabilities such as intercepting WhatsApp, WhatsApp Business, and signal communication.
Moreover, VajraSpy also logs any visible communications from these apps in the console and in the local database, which are uploaded to the Firebase-hosted C&C server. Apart from this, these applications can also intercept any device notifications.
One of the applications inside the group, Wave Chat, was found to have additional capabilities, such as:
As mentioned earlier, only the Rafaqat رفاقت application belongs to this group, which is the only non-chat application. Though this application asks for a phone number, no verification is performed.
This application was also found to be capable of intercepting notifications and exfiltrateContacts and files with Specific extensions such as .pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus.
ESET reported that these applications have been published, providing detailed information about the source code, application analysis, malware analysis, and other information.
| SHA-1 | Package name | ESET detection name | Description |
| BAF6583C54FC680AA6F71F3B694E71657A7A99D0 | com.hello.chat | Android/Spy.VajraSpy.B | VajraSpy trojan. |
| 846B83B7324DFE2B98264BAFAC24F15FD83C4115 | com.chit.chat | Android/Spy.VajraSpy.A | VajraSpy trojan. |
| 5CFB6CF074FF729E544A65F2BCFE50814E4E1BD8 | com.meeete.org | Android/Spy.VajraSpy.A | VajraSpy trojan. |
| 1B61DC3C2D2C222F92B84242F6FCB917D4BC5A61 | com.nidus.no | Android/Spy.Agent.BQH | VajraSpy trojan. |
| BCD639806A143BD52F0C3892FA58050E0EEEF401 | com.rafaqat.news | Android/Spy.VajraSpy.A | VajraSpy trojan. |
| 137BA80E443610D9D733C160CCDB9870F3792FB8 | com.tik.talk | Android/Spy.VajraSpy.A | VajraSpy trojan. |
| 5F860D5201F9330291F25501505EBAB18F55F8DA | com.wave.chat | Android/Spy.VajraSpy.C | VajraSpy trojan. |
| 3B27A62D77C5B82E7E6902632DA3A3E5EF98E743 | com.priv.talk | Android/Spy.VajraSpy.C | VajraSpy trojan. |
| 44E8F9D0CD935D0411B85409E146ACD10C80BF09 | com.glow.glow | Android/Spy.VajraSpy.A | VajraSpy trojan. |
| 94DC9311B53C5D9CC5C40CD943C83B71BD75B18A | com.letsm.chat | Android/Spy.VajraSpy.A | VajraSpy trojan. |
| E0D73C035966C02DF7BCE66E6CE24E016607E62E | com.nionio.org | Android/Spy.VajraSpy.C | VajraSpy trojan. |
| 235897BCB9C14EB159E4E74DE2BC952B3AD5B63A | com.qqc.chat | Android/Spy.VajraSpy.A | VajraSpy trojan. |
| 8AB01840972223B314BF3C9D9ED3389B420F717F | com.yoho.talk | Android/Spy.VajraSpy.A | VajraSpy trojan. |
| IP | Domain | Hosting provider | First seen | Details |
| 34.120.160[.]131 | hello-chat-c47ad-default-rtdb.firebaseio[.]comchit-chat-e9053-default-rtdb.firebaseio[.]commeetme-abc03-default-rtdb.firebaseio[.]comchatapp-6b96e-default-rtdb.firebaseio[.]comtiktalk-2fc98-default-rtdb.firebaseio[.]comwave-chat-e52fe-default-rtdb.firebaseio[.]comprivchat-6cc58-default-rtdb.firebaseio[.]comglowchat-33103-default-rtdb.firebaseio[.]comletschat-5d5e3-default-rtdb.firebaseio[.]comquick-chat-1d242-default-rtdb.firebaseio[.]comyooho-c3345-default-rtdb.firebaseio[.]com | Google LLC | 2022-04-01 | VajraSpy C&C servers |
| 35.186.236[.]207 | rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase[.]app | Google LLC | 2023-03-04 | VajraSpy C&C server |
| 160.20.147[.]67 | N/A | aurologic GmbH | 2021-11-03 | VajraSpy C&C server |
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…