New Android Malware on Google Play Disguised as News Apps


Twelve malicious Android espionage applications have been discovered by researchers, with all of them executing a remote access trojan (RAT) code known as VajraSpy.

Six of them were discovered to be available on Google Play Store, whereas the other six were discovered with VirusTotal.

All of these applications share several similarities, such as messaging platform bundled with VajraSpy RAT code and developer certificate.

The date of upload of these applications was between April 2021 and March 2023. Among these applications, only one was found to be a new application that differed from the rest.

Document

Run Free ThreatScan on Your Mailbox

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

The earliest app was discovered to be Privee Talk, uploaded on April 1st, 2021, and the latest app was Wave Chat, which appeared in September 2023.

All of these applications combined had nearly 1400 installations. The list of malicious applications is as follows:

  • Rafaqat رفاقت 
  • Privee talk
  • MeetMe
  • Let’s Chat
  • Quick Chat
  • Chit Chat
  • TikTalk
  • Hello Chat
  • YohooTalk
  • Nidus
  • GlowChat
  • WaveChat
  • Click App
  • Crazy Talk
Login Screen malicious Chat Applications (Source: ESET)

Android Malware on Google Play

According to the reports shared with Cyber Security News, VajraSpy is a customizable trojan that can be used to exfiltrate user data that uses the same class names on all malicious applications. 

Same malicious application classes (Source: ESET)
Same malicious application classes (Source: ESET)

Additionally, all observed applications shared the same worker classes for data exfiltration. However, the trojanized applications can be split into three groups as

  1. Trojanized messaging applications with basic functionalities
  2. Trojanized messaging applications with advanced functionalities
  3. Non-Messaging applications
Timeline of Applications (Source: ESET)
Timeline of Applications (Source: ESET)

Trojanized Messaging Applications

This group consists of malicious applications that were available on Google Play, such as MeetMe, Privee Talk, Let’s Chat, Quick Chat, GlowChat, and Chit Chat. It also includes Hello Chat, which wasn’t available on Google Play.

This group of applications has a standard messaging functionality and initially requires the creation of an account.

In addition, mobile number verification is also performed using OTP SMS codes. However, this is an irrelevant step as the VajraSpy is already running regardless of this step’s success.

Moreover, phone number verification is speculated to be performed by threat actors as a means of learning the victim’s country code.

All of the applications categorized under this group are capable of performing exfiltrating the following data.

  • Contacts,
  • SMS messages,
  • call logs,
  • device location,
  • a list of installed apps, and
  • files with specific extensions (.pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus).

Trojanized Messaging Applications

Trojanized messaging applications with advanced functionalities

This group consists of TikTalk, Nidus, YohooTalk, Crazy Talk, and Wave Chat applications. These applications perform extended capabilities such as intercepting WhatsApp, WhatsApp Business, and signal communication. 

Moreover, VajraSpy also logs any visible communications from these apps in the console and in the local database, which are uploaded to the Firebase-hosted C&C server. Apart from this, these applications can also intercept any device notifications.

One of the applications inside the group, Wave Chat, was found to have additional capabilities, such as:

  • record phone calls,
  • record calls from WhatsApp, WhatsApp Business, Signal, and Telegram,
  • log keystrokes,
  • take pictures using the camera,
  • record surrounding audio, and
  • scan for Wi-Fi networks.

Non-Messaging applications

As mentioned earlier, only the Rafaqat رفاقت application belongs to this group, which is the only non-chat application. Though this application asks for a phone number, no verification is performed. 

This application was also found to be capable of intercepting notifications and exfiltrateContacts and files with Specific extensions such as .pdf, .doc, .docx, .txt, .ppt, .pptx, .xls, .xlsx, .jpg, .jpeg, .png, .mp3, .Om4a, .aac, and .opus.

ESET reported that these applications have been published, providing detailed information about the source code, application analysis, malware analysis, and other information.

Indicators of Compromise

Files

SHA-1 Package name ESET detection name Description
BAF6583C54FC680AA6F71F3B694E71657A7A99D0 com.hello.chat Android/Spy.VajraSpy.B VajraSpy trojan.
846B83B7324DFE2B98264BAFAC24F15FD83C4115 com.chit.chat Android/Spy.VajraSpy.A VajraSpy trojan.
5CFB6CF074FF729E544A65F2BCFE50814E4E1BD8 com.meeete.org Android/Spy.VajraSpy.A VajraSpy trojan.
1B61DC3C2D2C222F92B84242F6FCB917D4BC5A61 com.nidus.no Android/Spy.Agent.BQH VajraSpy trojan.
BCD639806A143BD52F0C3892FA58050E0EEEF401 com.rafaqat.news Android/Spy.VajraSpy.A VajraSpy trojan.
137BA80E443610D9D733C160CCDB9870F3792FB8 com.tik.talk Android/Spy.VajraSpy.A VajraSpy trojan.
5F860D5201F9330291F25501505EBAB18F55F8DA com.wave.chat Android/Spy.VajraSpy.C VajraSpy trojan.
3B27A62D77C5B82E7E6902632DA3A3E5EF98E743 com.priv.talk Android/Spy.VajraSpy.C VajraSpy trojan.
44E8F9D0CD935D0411B85409E146ACD10C80BF09 com.glow.glow Android/Spy.VajraSpy.A VajraSpy trojan.
94DC9311B53C5D9CC5C40CD943C83B71BD75B18A com.letsm.chat Android/Spy.VajraSpy.A VajraSpy trojan.
E0D73C035966C02DF7BCE66E6CE24E016607E62E com.nionio.org Android/Spy.VajraSpy.C VajraSpy trojan.
235897BCB9C14EB159E4E74DE2BC952B3AD5B63A com.qqc.chat Android/Spy.VajraSpy.A VajraSpy trojan.
8AB01840972223B314BF3C9D9ED3389B420F717F com.yoho.talk Android/Spy.VajraSpy.A VajraSpy trojan.

Network

IP Domain Hosting provider First seen Details
34.120.160[.]131 hello-chat-c47ad-default-rtdb.firebaseio[.]comchit-chat-e9053-default-rtdb.firebaseio[.]commeetme-abc03-default-rtdb.firebaseio[.]comchatapp-6b96e-default-rtdb.firebaseio[.]comtiktalk-2fc98-default-rtdb.firebaseio[.]comwave-chat-e52fe-default-rtdb.firebaseio[.]comprivchat-6cc58-default-rtdb.firebaseio[.]comglowchat-33103-default-rtdb.firebaseio[.]comletschat-5d5e3-default-rtdb.firebaseio[.]comquick-chat-1d242-default-rtdb.firebaseio[.]comyooho-c3345-default-rtdb.firebaseio[.]com Google LLC 2022-04-01 VajraSpy C&C servers
35.186.236[.]207 rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase[.]app Google LLC 2023-03-04 VajraSpy C&C server
160.20.147[.]67 N/A aurologic GmbH 2021-11-03 VajraSpy C&C server



Source link