On February 1, 2024, ESET reported a newly discovered campaign targeting Pakistani users with the VajraSpy trojan. The ESET analysis attributes the campaign to Patchwork, a cyber-espionage group believed to be either Pro-India or even somehow affiliated to India.
The campaign leveraged numerous trojanized Android application which the actor lured the victims to install via social engineering. The primary rule was romance-related; the actor would engage with the victim over a chat via WhatsApp or other instant messaging applications of common use. Then the actor would lure the victim to move to a separate application and would send a link to the malicious payload which the user would install and execute.
ESET identified a total of twelve malicious applications, including six that were available via Google Play. As mentioned, most of the applications were consistent with romance-themes or instant messaging. However, others were related to news content.
According to the ESET report, telemetry directed to Malaysia but a default number consistent with Pakistan country code provided with the trojanized applications suggests the actual targets were Pakistani users. This victimology appears to support the assessment that Patchwork may be behind the scheme.
The objective of the campaign appears to be espionage; VajraSpy has capabilities to gather - based on the specific permission granted to the each malicious application - personal information, device data such as location, application enumeration, call logs, SMS and contacts.