India-linked hackers target Pakistan with spyware in new campaign

Suspected Indian state-sponsored hackers have used romance scams to lure victims in Pakistan into installing malicious apps, infecting their devices with spying malware, according to new research.

The group, known as Patchwork, created at least 12 malicious Android apps, including MeetMe, Let’s Chat, Quick Chat, and Rafaqat, and distributed them through Google Play and other platforms. The apps were downloaded more than 1,400 times before they were flagged as malicious and removed by Google, according to the report from Slovak-based cybersecurity company ESET.

Some of the hackers' victims were located in Malaysia and India, but researchers believe those users accidentally downloaded the apps since Patchwork most likely intended to target users in Pakistan.

The group, which has been active since December 2015, has a history of attacking Pakistan with phishing attacks, according to a previous report from the cybersecurity firm Malwarebytes. ESET researchers found other indicators — including the number of victims located in Pakistan — to prove that the group’s latest campaign was also directed against Pakistan.

Other researchers also discovered that VajraSpy malware, which ESET said was used in the latest campaign, has been previously deployed against Pakistani military personnel. VajraSpy is a customizable malware, usually disguised as a messaging application, used to exfiltrate user data.

In the recent attacks, the hackers used romance scams, attempting to entice their victims romantically or sexually through legitimate apps, and then persuading them to switch to the malicious ones.

All the apps identified by ESET were messengers, except for one that posed as a news app. Some of them shared an identical user login interface or were signed by the same developer certificate.

The apps required users to create an account and enter a phone number for SMS code verification. Once victims' phones were infected with VajraSpy, the hackers could exfiltrate their contacts, SMS messages, call logs, device location, a list of installed apps, and files with specific extensions.

The more advanced malicious apps could even intercept messages from other apps, including WhatsApp and Signal.

One of the apps, Wave Chat, had even more malicious capabilities. It could record phone calls, including those from WhatsApp, Signal, and Telegram, log keystrokes, take pictures using the camera, record surrounding audio, and scan for Wi-Fi networks.

ESET hasn't specified who the hackers targeted in Pakistan, but in previous campaigns, Patchwork attacked high-profile victims, including universities and research organizations in China, Pakistani government entities, and individuals with a research focus on molecular medicine and biological science.