Recent investigations have unveiled a troubling trend in the realm of mobile applications, particularly those operating on the Android platform. A series of malicious apps have been identified that possess the capability to spy on users, extracting messages from popular communication platforms like WhatsApp and Signal, while also recording conversations without user consent. Among these, an app named WaveChat has raised significant concerns due to its ability to capture background audio even when the microphone is not actively in use, as reported by cybersecurity firm ESET.
Understanding the Threat
Upon installation, these malicious applications deploy a remote access trojan (RAT) known as VajraSpy. Fortunately, the threat appears to be geographically limited; ESET’s research indicates that these spyware apps were not specifically targeting users in the United States and had only been downloaded approximately 1,400 times. The primary focus of these apps seems to be users in India and Pakistan, where the threat actors likely employed a honey-trap romance scam to entice victims into downloading the malware.
The findings are detailed in a recent article on WeLiveSecurity, a publication associated with ESET. The researchers identified a total of 12 spyware apps, including six that were available on the Google Play Store. The remaining six were accessible via VirusTotal, a well-known cybersecurity tool. The identified malicious Android apps include:
- Privee Talk
- MeetMe*
- Let’s Chat
- Quick Chat
- Rafaqat رفاق
- Chit Chat
*It is important to note that other apps sharing the same name may exist in your region. Notably, the widely popular MeetMe app, which boasts over 100 million downloads, is not related to these spyware variants.
As a precaution, users are reminded that the mere presence of an app on the Google Play or Apple App Store does not guarantee its safety. It is advisable to download applications only from reputable sources and to exercise caution regarding the permissions granted to these apps. Malicious applications often mimic legitimate ones, as evidenced by recent incidents involving counterfeit Sora apps. In October, ESET researchers uncovered two spyware apps masquerading as the Android Signal app, specifically targeting users in the United Arab Emirates.
Interestingly, one of the malicious VajraSpy apps appeared to exploit the popularity of a well-known Pakistani cricket player. An app was uploaded by a user named Mohammad Rizwan, coincidentally sharing a name with a celebrated professional cricketer, although it should be noted that Rizwan is not connected to this malicious activity. ESET researchers attribute the development of these spyware apps to Patchwork APT, a recognized entity within the cybersecurity landscape.
