We’ve all experienced that unsettling feeling that our phones might be listening to us. For some Android users, that fear may not be unfounded.
Cybersecurity researchers at ESET have uncovered a group of malicious Android apps capable of spying on users, stealing private WhatsApp and Signal messages, and even recording conversations without consent.
One of the most concerning discoveries is an app called WaveChat, which reportedly could record background audio even when the user wasn’t actively using the phone’s microphone.
According to ESET, once downloaded, these apps ran a remote access trojan (RAT) known as VajraSpy, giving hackers access to private data and real-time conversations.
Who the Spyware Targeted
The good news for American users is that these spyware apps were not aimed at the United States. ESET researchers report that the apps were downloaded around 1,400 times and primarily targeted users in India and Pakistan.
The attackers appear to have used romance scams or “honey-traps” to trick victims into installing the infected apps, often disguising them as chat or dating platforms.
Details from ESET’s Investigation
ESET detailed their findings in a post on WeLiveSecurity, the company’s cybersecurity research blog. In total, the team identified 12 spyware apps—six of which had been available on the Google Play Store, while the remaining six were discovered through VirusTotal, a malware detection and analysis platform.
The six trojanized Android apps discovered on the Play Store were:
- Privee Talk
- MeetMe*
- Let’s Chat
- Quick Chat
- Rafaqat (رفاق)
- Chit Chat
*Note: The popular MeetMe app with over 100 million downloads is not related to these malicious versions. Users should always verify app developers and permissions before downloading.
How the Spyware Worked
Once installed, the infected apps deployed the VajraSpy RAT code, which allowed cybercriminals to extract sensitive data such as:
- WhatsApp and Signal messages
- Contact lists and call logs
- Audio recordings, including background sounds
This type of spyware provides near-total surveillance capability, allowing attackers to monitor personal communications without the victim’s knowledge.
Not the First Time for VajraSpy
ESET notes that VajraSpy has appeared before in various disguises. In October, the same spyware family was found hidden inside two fake versions of the Signal messaging app, targeting users in the United Arab Emirates.
Interestingly, one of the new spyware apps was uploaded under the name Mohammad Rizwan, likely referencing the popular Pakistani cricket player of the same name, though the real athlete has no connection to the scam. This impersonation tactic highlights how attackers exploit public trust and celebrity recognition to lure victims.
Who Is Behind the Attack
ESET researchers have attributed the campaign to Patchwork APT, a known advanced persistent threat group that has been active in cyber-espionage operations across South Asia. Patchwork has a reputation for creating fake apps and phishing campaigns to infiltrate mobile devices and steal private communications.
Protecting Yourself from Malicious Apps
This discovery serves as a strong reminder that not every app on the Google Play or Apple App Store is safe. Cybercriminals frequently disguise malware as legitimate apps to deceive users. To protect yourself:
- Only download apps from verified developers and reputable companies.
- Carefully review app permissions and avoid apps asking for access to your microphone, camera, or messages unless absolutely necessary.
- Regularly update your phone and security software.
- Stay cautious of romance scams or unfamiliar links shared via social media or messaging apps.
Recently, security researchers have also detected fake “Sora” apps mimicking OpenAI products, showing that malware creators are quick to exploit trending topics and well-known names.
The Takeaway
The VajraSpy campaign underscores how sophisticated mobile surveillance threats have become. Even though these specific apps primarily targeted users in India and Pakistan, the techniques used—impersonation, romance scams, and trojanized messaging apps—can affect anyone, anywhere.
Remaining vigilant about what you download, and which permissions you grant, is one of the simplest yet most effective defenses against mobile spyware.
FAQs
What is VajraSpy?
VajraSpy is a remote access trojan (RAT) discovered by ESET researchers. It was hidden in several Android chat and dating apps that secretly spied on users by recording conversations and stealing WhatsApp and Signal messages.
Which apps were infected with VajraSpy?
The malicious apps included Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafaqat, and Chit Chat. These fake apps were mainly distributed through the Google Play Store and targeted users in India and Pakistan.
How does VajraSpy steal information?
After installation, the infected apps run malicious code that can extract private messages, call logs, contact lists, and even record audio in the background without the user’s permission.
Was the spyware targeting users in the United States?
No. According to ESET, the VajraSpy spyware mainly targeted users in India and Pakistan and was downloaded about 1,400 times. However, similar tactics could appear in other regions in the future.
Who is behind the VajraSpy attack?
ESET researchers have linked the spyware campaign to Patchwork APT, a known cyber-espionage group that has been active in South Asia. The group is known for creating fake apps and phishing attacks.
How can I protect my phone from spyware?
Always download apps from verified developers, check permissions before installing, and avoid apps that ask for unnecessary access to your microphone or messages. Keep your device and security software updated regularly.
Is the popular MeetMe app infected?
No. The genuine MeetMe app with over 100 million downloads is not related to the fake MeetMe version containing VajraSpy malware. Always verify the developer name before installing any app.
