Malware disguised as a messaging app has been found on twelve applications, six of which were available on Google Play between April and September 2023. The malicious software, known as VarajSpy, is referred to as a remote access trojan. This means that the cyber-attacker is able to access your device remotely.
Those infected by VarajSpy became specifically vulnerable to cyberattacks like data theft (including phone contacts) and, depending on permissions granted, even recorded their phone calls.
While these malicious apps have been removed from Google Play, they remain on third-party app stores disguised as messaging and news apps.
Researchers at the anti-virus software company ESET uncovered this campaign. According to them, these cyber-attackers are part of the Patchwork Advanced Persistent Threat (APT) group.
Bogus chat apps
Furthermore, according to Lukas Stefanko, an ESET researcher, these apps were downloaded 1,400 times on Google Play. They had innocent-sounding names like Rafaqat, Privee Talk, MeetMe, Let’s Chat, Quick Chat, and Chit Chat.
Unlike Google Play, it is difficult to track how many applications were downloaded from third-party app stores. Still, they did have similarly innocuous-sounding names like Hello Chat, YohooTalk, TikTalk, Nidus, GlowChat, and Wave Chat.
Analysis by ESET also found that the majority of these hacking victims were located in Pakistan, and that they were most likely tricked into installing these bogus chat apps as part of a wider romance scam.
In a statement to BleepingComputer, a spokesperson for Google said: “We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action.”
“Users are protected by Google Play Protect, which can warn users of apps known to exhibit this malicious behavior on Android devices with Google Play Services, even when those apps come from sources outside of Play.”