Romance scam baits!
Patchwork Used Romance Scam Lures to Infect Android Devices with VajraSpy Malware
The threat actor known as Patchwork likely used romance scams to trap victims in Pakistan and India, infecting their Android devices with a remote access trojan called VajraSpy.
Slovak cybersecurity firm ESET said it had uncovered 12 spying apps, six of which are available for download from the official Google Play Store, and were collectively downloaded more than 1,400 times between April 2021 and March 2023.
“VajraSpy has a number of spying functions that can be extended according to the permissions given to the application supplied with its code,” said security researcher Lukáš Štefanko. “It steals contacts, files, call logs and SMS messages, but some of its apps can even extract WhatsApp and Signal messages, record phone calls and take photos with the camera.”
It is estimated that some 148 devices were seized in Pakistan and India. Malicious apps distributed on Google Play and elsewhere were essentially disguised as messaging apps; the newest ones spread as recently as September 2023.
Privee Talk (com.priv.talk)
MeetMe (com.meeete.org)
Let's Chat (com.letsm.chat)
Quick Chat (com.qqc.chat)
Rafaqat رفاق (com.rafaqat.news)
Chit Chat (com.chit.chat)
YohooTalk (com.yoho.talk)
TikTalk (com.tik.talk)
Hello Chat (com.hello.chat)
Nidus (com.nidus.no or com.nionio.org)
GlowChat (com.glow.glow)
Wave Chat (com.wave.chat)
Rafaqat رفاق stands out because it is the only non-messaging app and is promoted as a way to access the latest news. It was uploaded to Google Play on October 26, 2022 by a developer named Mohammad Rizwan and reached a total of 1,000 downloads before it was taken down by Google.
The malware's exact distribution vector is currently unclear, but the nature of the apps suggests that targets tricked them into downloading them as part of a honeytrap romance scam; perpetrators persuade them to install these fake applications under the pretext. having a safer conversation.
This isn't the first time Patchwork, a threat actor with suspected ties to India, has used this technique. In March 2023, Meta revealed that the hacking team had created fictitious personas on Facebook and Instagram to share links to fake apps targeting victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet and China.
It is also not the first time attackers have been observed deploying VajraRAT, which was previously documented to be used by Chinese cybersecurity company QiAnXin in a campaign targeting the Pakistani government and military units in early 2022. Vajra takes its name from the Sanskrit word meaning lightning.
In its own analysis of the malware in November 2023, Qihoo 360 linked it to a threat actor it tracked under the name Fire Demon Snake (aka APT-C-52).
Apart from Pakistan and India, Nepalese government institutions were also targeted by a phishing campaign that most likely provided a Nim-based backdoor. This was attributed to the SideWinder group, another group that was stated to operate with India's interests in mind.
This development came to light when financially motivated threat actors from Pakistan and India were found to be targeting Indian Android users with a fake credit app (Moneyfine or "com.moneyfine.fine"). Know your customer (KYC) process to create a nude image and threaten victims with payment or risk having doctored photos distributed to their contacts.
"These unknown, financially motivated threat actors make tempting promises of providing fast loans with minimal formalities, distribute malware to compromise devices, and use threats to extort money," Cyfirma wrote in an analysis late last month. said .
This also comes at a time when people tend to fall prey to predatory lending apps, which are known to collect sensitive information from infected devices and use blackmail and harassment tactics to force victims into payments.
According to a recent report published by the Network Contagion Research Institute (NCRI), young people in Australia, Canada and the US are being targeted by financial extortion attacks carried out by the Nigeria-based cybercrime group known as Yahoo Boys.
Nearly all of these activities are linked to West African cybercriminals known as Yahoo Boys, who target English-speaking minors and young adults primarily on Instagram, Snapchat, and Wizz,” NCRI said.
Wizz, which has since removed its Android and iOS apps from the Apple App Store and Google Play Store, disputed the NCRI report, stating that it was "not aware of any successful extortion attempts that have occurred while communicating on the Wizz app."
Please do not click on any link that you are not sure is safe.