A serious new warning this week, with Android users urged to check their phones for a set of very dangerous apps, which not only steal personal data but can even record phone calls. If you have any of these installed, delete them immediately.
This is just the latest such warning into malicious apps on both Google’s Play Store and the patchy collective of “user beware” third-party Android app stores.
The VajraSpy remote access trojan (RAT) was identified by the research team at ESET, which has named “twelve Android espionage apps that share the same malicious code,” six of which “were available on Google Play,” despite its defenses.
ESET attributes the RAT to the Patchwork APT group in Asia. The apps, the team says, “were advertised as messaging tools apart from one that posed as a news app—VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code. It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures.”
While there were very few installs from the Play Store, mostly confined to Asia, it’s not known how many apps were downloaded from third-party stores. Google’s official store is much more secure than the alternatives, but the fact these apps sneaked onto the Play Store in the first place will be a cause for alarm.
These apps appear to have been more targeted than other recent malware warnings. Users were sent links through chat apps, often under the guise of online romance. But the apps have also been available on stores for anyone to install.
Other malware-laced apps disclosed recently have been downloaded millions of times. The complete list of dangerous apps can be found below.
This is the third such Android warning in recent weeks, following the SpyLoan and Xamalicious reports. And this one coincides with the current headlines on app store security. Apple has repeatedly pushed back on opening its own ecosystem to third-party stores for security reasons. It is now being forced to do so by way of Europe’s Digital Markets Act (DMA). Stories such as this will not provide much comfort.
In response to ESET’s report, Google has assured that “we take security and privacy claims against apps seriously,” and has confirmed that “all of the reported apps are no longer on Google Play,” adding that Google Play Protect can “warn of apps known to exhibit this malicious behavior on Android devices with Google Play Services, even when those apps come from sources outside of Play.”
Users should check for SpyLoan and Xamalicious apps as well as VajraSpy, all of which are detailed below. They should also look for any so-called “copycat apps” hiding on their phones. Even though all these apps have been removed from the Play Store, some are still available in the wild and won’t have been automatically deleted.
VajraSpy:
- Hello Chat
- Chit Chat
- Meet Me
- Nidus
- Rafaqat News
- Tik Talk
- Wave Chat
- Prive Talk
- Glow Glow
- Lets Chat
- NioNio
- Quick Chat
- Yoho Talk
Xamalicious:
- Essential Horoscope for Android
- 3D Skin Editor for PE Minecraft
- Logo Maker Pro
- Auto Click Repeater
- Count Easy Calorie Calculator
- Sound Volume Extender
- LetterLink
- Numerology: Personal Horoscope & Number Predictions
- Step Keeper: Easy Pedometer
- Track Your Sleep
- Sound Volume Booster
- Astrological Navigator: Daily Horoscope & Tarot
- Universal Calculator
SpyLoan:
- AA Kredit
- Amor Cash
- GuayabaCash
- EasyCredit
- Cashwow
- CrediBus
- FlashLoan
- PréstamosCrédito
- Préstamos De Crédito-YumiCash
- Go Crédito
- Instantáneo Préstamo
- Cartera grande
- Rápido Crédito
- Finupp Lending
- 4S Cash
- TrueNaira
- EasyCash
As I have said repeatedly, the dangers of sideloading will be much debated through 2024, ahead of Apple’s changes in iOS 17 updates and then iOS 18 in the fall.
When Apple does begin to move beyond its App Store exclusivity, I suspect we will see much more focus on the vulnerabilities in the Android ecosystem, where the right balance between choice and risk is proving impossible to find.
In addition to being wary of unofficial app stores, ESET strongly advises against installing apps via links sent through chat apps. “Cybercriminals wield social engineering as a powerful weapon. We strongly recommend against clicking any links to download an application that are sent in a chat conversation.”
I would go further and advise against casual downloads of any apps onto your phone, unless you have confidence in their provenance and their developer. Once installed—and given rife permission abuse, apps can potentially access everything on your device, the key to your private life.
Meanwhile, check your phone for the 40+ apps above, and maybe start to delete the casual apps you’ve collected over the years and no longer use. It’s good practice, especially at the moment, and you’d be well advised to do some housekeeping.