The notorious Pegasus spyware developed by the NSO Group has once again made headlines, this time for being deployed in Jordan to spy on journalists and activists. While this high-profile case has drawn significant attention, including a lawsuit from Apple, a more insidious threat lurks in the everyday apps on Android devices. According to a report by ESET security experts, a new wave of seemingly innocent Android chat apps is being used to harvest sensitive data from unsuspecting users.
ESET has identified at least 12 Android apps that have been planting a Trojan on users’ phones, allowing them to steal details such as call logs, messages, and even gain remote control of the camera. The Trojan, named VajraSpy, can also extract chat details from end-to-end encrypted platforms like WhatsApp and Signal.
Apps to Watch Out For
The apps involved in this espionage include:
- YohooTalk
- TikTalk
- Privee Talk
- MeetMe
- Nidus
- GlowChat
- Let’s Chat
- Quick Chat
- Rafaqat
- Chit Chat
- Hello Chat
- Wave Chat
If any of these apps are installed on your device, experts advise deleting them immediately.
The Risk on Google Play Store
Alarmingly, six of these apps were available on the Google Play Store, raising concerns about the effectiveness of Google’s security protocols. The presence of these apps on a trusted platform like Google Play Store puts a large number of users at risk, as many assume apps available there are safe.
The VajraSpy Trojan
At the core of these apps’ malicious activities is VajraSpy, a Remote Access Trojan (RAT). VajraSpy is capable of stealing contacts, files, call logs, SMS messages, and even WhatsApp and Signal messages. It can record phone calls, take pictures with the camera, and capture the user’s data without their knowledge.
This isn’t the first time VajraSpy has raised alarms. In 2022, Broadcom identified it as a RAT variant that uses Google Cloud Storage to collect data from infected Android devices. VajraSpy has been linked to the threat group APT-Q-43, known for targeting members of the Pakistani military.
Social Engineering and Romance Scams
These apps often use social engineering tactics aligned with romance to lure targets. This method is particularly dangerous as it preys on the emotions of the victims. Scroll reported in 2023 on spies using “honey traps” to target Indian scientists and military personnel, extracting sensitive information through a mix of romance and blackmail. Even the FBI has issued alerts about digital romance scams, with a White House staffer recently losing over half a million dollars in one such scam.
The Full Extent of the Threat
In the latest instance of VajraSpy deployment, the apps were able to extract contact details, messages, call logs, and various local files in formats such as .pdf, .doc, .jpeg, .mp3, and more. These apps could also intercept messages on secure platforms like WhatsApp and Signal, record phone calls, log keystrokes, take pictures, and even take over the microphone to record audio—all without the victim’s knowledge.
How to Protect Yourself
Given the increasing sophistication of these threats, it is crucial to be vigilant about the apps you install on your device. Experts recommend disabling notification access for apps that don’t need it as a way to protect your data. Always verify the authenticity of apps and avoid downloading those from unknown or suspicious developers.
As digital threats continue to evolve, staying informed and cautious is the best defense against these malicious attacks.