Security researchers have recently uncovered a concerning trend involving a collection of Android chat applications that have been found to covertly harvest users’ messages. This revelation adds to the growing list of privacy violations affecting widely used technology services. The investigation, conducted by ESET, linked these malicious applications to a remote access trojan known as VajraSpy, with a significant focus on users in India and Pakistan, resulting in approximately 1,400 downloads.
What researchers uncovered about the VajraSpy campaign
ESET’s analysis identified a total of 12 malicious applications, six of which were available on Google Play before being flagged for their suspicious activity. The apps included:
- Privee Talk
- MeetMe
- Let’s Chat
- Quick Chat
- Rafaqat رفاق
- Chit Chat
Upon installation, these applications deployed VajraSpy modules capable of extensive surveillance, such as extracting messages from encrypted chat platforms and recording ambient sounds in real time. Notably, one app, WaveChat, was particularly alarming as it could record background audio without being actively launched, showcasing the potential for misuse of microphone permissions. The spyware’s capabilities extended to intercepting communications on platforms like WhatsApp and Signal by exploiting Android’s Accessibility Services or notification access.
Who was targeted in this campaign and how it worked
The operators behind this campaign employed honey-trap tactics, masquerading as friendly chat partners to entice targets into installing these “private” messaging applications outside of conventional safety measures. Some app listings appeared to leverage the fame of celebrities, such as a name identical to that of a well-known Pakistani cricketer, Mohammad Rizwan, although there is no evidence linking the celebrity to the campaign.
The geographic targeting was clear, with victims primarily located in India and Pakistan. While there is no indication that users in the United States were affected, the surveillance techniques employed—utilizing lightweight chat apps distributed via social networks and app stores—could easily be replicated elsewhere. ESET has previously reported similar spyware disguises, including imitation apps posing as Signal to target users in the United Arab Emirates.
What those Android chat apps could have accessed
Although modern Android versions impose technical and policy restrictions on direct call recording, spyware can still capture sensitive audio by activating the microphone, directing the victim to speakerphone, or continuously recording ambient sounds. When combined with Accessibility Services, these tools can read incoming message texts, scrape notifications, and capture displayed content.
The permissions requested by VajraSpy mirrored those of typical espionage tools, including:
- RECORD_AUDIO for audio capture
- READCONTACTS and READSMS to create a social graph
- Access to notifications and accessibility services for chat interception
- Storage permissions for mining photos, documents, and app data caches
Once granted, these permissions provide attackers with profound insights into an individual’s communications and activities, as noted by ESET’s experts.
Impact on users and questions for platform oversight
The emergence of spyware within mainstream app stores raises critical questions regarding the vetting processes in place. Google’s Play Protect has evolved, incorporating real-time scanning for sideloaded apps and machine-learning assessments to detect malicious behavior. According to recent reports from Google, the incidence of potentially harmful applications on devices limited to Play Store installations has dropped to 0.1%.
However, dedicated espionage applications are crafted to appear benign, minimizing their presence and disguising themselves as familiar categories like dating and chat. This camouflage, combined with social engineering tactics outside the app store, allows these small-scale threats to inflict significant damage.
How to check if your phone is affected and protect it
To safeguard against potential threats, users should review their installed applications for any of the developer names identified by researchers: Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafaqat رفاق, and Chit Chat. If any are found, it is advisable to uninstall them immediately and conduct a Play Protect scan from the Play Store menu.
Additionally, users should navigate to Settings and review permissions, revoking microphone, accessibility, notification access, and storage permissions from apps that do not require them. Special attention should be paid to any application requesting Accessibility Services, as very few chat apps genuinely need such permissions.
Resetting passwords for messaging and email accounts, enabling two-step verification, and reviewing active sessions and connected devices on platforms like WhatsApp and Signal are also prudent measures. For those who sideload apps, it is wise to disable “Install unknown apps” in browsers and file managers.
In cases where significant damage is suspected, backing up important files and performing a factory reset may be necessary. Following restoration, it is crucial to install applications only from trusted developers with established reputations and clear privacy policies.
The bottom line on spyware hidden in chat apps
This campaign highlights the potential for even seemingly innocuous applications to serve as sophisticated spyware in the wrong hands, capturing user information and conversations without raising suspicion. As Ronen Rabinovich, CEO of Phantom, pointed out, the modest download numbers do not diminish the seriousness of the skills involved. A thorough review of applications and permissions is essential for users, serving as a reminder that even familiar categories like messaging warrant careful scrutiny before installation.
