Keypoints
- 12 trojanized Android apps (six previously on Google Play, six found in the wild) share identical VajraSpy RAT code and class names.
- VajraSpy runs regardless of account creation and gains persistence by registering for BOOT_COMPLETED to activate at startup.
- The malware exfiltrates contacts, SMS, call logs, device identifiers (IMEI/IMSI), location, installed apps, and files with many common extensions.
- Advanced variants abuse Accessibility and Notification access to capture WhatsApp/WhatsApp Business/Signal messages and log visible UI text in real time.
- Wave Chat variant can auto-enable permissions via Accessibility, record calls (including VoIP), log keystrokes, take photos, record audio, and scan Wi‑Fi networks.
- Command-and-control uses Firebase (Google-hosted Realtime Database) and additional C2 servers; some data is uploaded via Retrofit over unencrypted HTTP.
- Operators stored victim account info and exchanged messages on Firebase C2 endpoints and used POST requests to exfiltrate captured data.
MITRE Techniques
- [T1398] Boot or Logon Initialization Scripts – Malware registers for BOOT_COMPLETED to activate at device startup. [‘VajraSpy receives the BOOT_COMPLETED broadcast intent to activate at device startup.’]
- [T1420] File and Directory Discovery – Lists files on external storage to find targets for exfiltration. [‘VajraSpy lists available files on external storage.’]
- [T1422] System Network Configuration Discovery – Extracts device identifiers and phone information. [‘VajraSpy extracts the IMEI, IMSI, phone number, and country code.’]
- [T1426] System Information Discovery – Gathers SIM serial, device ID and common system info. [‘VajraSpy extracts information about the device, including SIM serial number, device ID, and common system information.’]
- [T1418] Software Discovery – Enumerates installed applications on the device. [‘VajraSpy can obtain a list of installed applications.’]
- [T1533] Data from Local System – Exfiltrates files from the device storage. [‘VajraSpy exfiltrates files from the device.’]
- [T1430] Location Tracking – Tracks and exfiltrates device location. [‘VajraSpy tracks device location.’]
- [T1636.002] Protected User Data: Call Logs – Extracts user call history. [‘VajraSpy extracts call logs.’]
- [T1636.003] Protected User Data: Contact List – Extracts contacts stored on the device. [‘VajraSpy extracts the contact list.’]
- [T1636.004] Protected User Data: SMS Messages – Extracts SMS messages. [‘VajraSpy extracts SMS messages.’]
- [T1517] Access Notifications – Collects device notifications when granted notification access. [‘VajraSpy can collect device notifications.’]
- [T1429] Audio Capture – Records microphone audio and records phone calls (including VoIP). [‘VajraSpy can record microphone audio and record calls.’]
- [T1512] Video Capture – Uses the camera to take pictures on command. [‘VajraSpy can take pictures using the camera.’]
- [T1417.001] Input Capture: Keylogging – Intercepts user interactions and keystrokes. [‘VajraSpy can intercept all interactions between a user and the device.’]
- [T1437.001] Application Layer Protocol: Web Protocols – Communicates with C2 over HTTPS. [‘VajraSpy uses HTTPS to communicate with its C&C server.’]
- [T1481.003] Web Service: One-Way Communication – Uses Google Firebase as a C2/data store. [‘VajraSpy uses Google’s Firebase server as a C&C.’]
- [T1646] Exfiltration Over C2 Channel – Sends collected data to C2 via HTTPS/POST. [‘VajraSpy exfiltrates data using HTTPS.’]
- [T1641] Data Manipulation – Deletes files and removes call logs/contacts to hinder recovery. [‘VajraSpy removes files with specific extensions from the device, and deletes all user call logs and the contact list.’]
Indicators of Compromise
- [File hashes] trojanized APK SHA-1 examples – BAF6583C54FC680AA6F71F3B694E71657A7A99D0, 846B83B7324DFE2B98264BAFAC24F15FD83C4115, and 11 more hashes
- [Package names] malicious Android package names – com.hello.chat, com.chit.chat, and other package names listed in the report
- [Domains] Firebase C2/Realtime DB endpoints – hello-chat-c47ad-default-rtdb.firebaseio[.]com, rafaqat-d131f-default-rtdb.asia-southeast1.firebasedatabase[.]app, and additional Firebase domains
- [IP addresses] C2 hosting IPs – 34.120.160[.]131, 35.186.236[.]207, and 160.20.147[.]67
- [Developer certificate] APK signing fingerprint – SHA-1 881541A1104AEDC7CEE504723BD5F63E15DB6420 (used by multiple samples)
VajraSpy is an Android remote access trojan embedded in trojanized messaging (and one news) apps; it shares common class names across samples and activates on device startup via the BOOT_COMPLETED broadcast. Once installed it enumerates device and network data (IMEI, IMSI, SIM serial, device ID), lists installed apps and files (targeting many common extensions), collects contacts, SMS and call logs, and tracks device location. The malware can also access notifications and, when granted accessibility privileges, capture visible UI text from messaging apps (WhatsApp, WhatsApp Business, Signal) and log it locally before exfiltration.
Advanced variants (notably Wave Chat) prompt for Accessibility services to auto-enable permissions and expand capabilities: recording phone and VoIP calls, keylogging, taking camera photos, recording ambient audio, and scanning Wi‑Fi networks. Captured data and account/message stores are sent to Google-hosted Firebase Realtime Database endpoints used as C2, while other payloads and exfiltration use separate C2 servers and an HTTP client based on Retrofit; some transfers occur over HTTPS but certain uploads are made unencrypted via HTTP POST.
Operationally, the malware persists across reboots, runs regardless of account verification, and removes selected files and user call/contact records to impede recovery. Detection and mitigation should focus on blocking known Firebase C2 domains/IPs, the listed APK hashes/package names, and preventing abuse of Notification and Accessibility permissions which the malware leverages to capture protected messaging content.
Read more: https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/