Update 2/2 - A Google spokesperson sent BleepingComputer the following comment:
We take security and privacy claims against apps seriously, and if we find that an app has violated our policies, we take appropriate action.Users are protected by Google Play Protect, which can warn users of apps known to exhibit this malicious behavior on Android devices with Google Play Services, even when those apps come from sources outside of Play.
ESET researcher Lukas Stefanko found 12 malicious Android applications containing the same VajraSpy RAT code, six of which were uploaded on Google Play, where they were downloaded roughly 1,400 times.
The apps that were available on Google Play are:
VajraSpy apps available outside Google Play are all bogus messaging apps:
- Rafaqat رفاقت (news)
- Privee Talk (messaging)
- MeetMe (messaging)
- Let's Chat (messaging)
- Quick Chat (messaging)
- Chit Chat (messaging)
Third-party app stores do not report download counts, so the number of people who have installed them through these platforms is unknown.
- Hello Chat
- YohooTalk
- TikTalk
- Nidus
- GlowChat
- Wave Chat
ESET's telemetry analysis indicates that most victims are located in Pakistan and India and are most likely tricked into installing the fake messaging apps via a romance scam.
Those installing the apps became infected with VajraSpy, allowing the malware to steal personal data, including contacts and messages, and depending on the granted permissions, even to record their phone calls.