Security researchers have found a batch of Android chat apps that secretly harvested users’ messages. The discovery is the latest in a string of privacy scandals to hit popular tech services. The effort, examined by ESET, linked the spyware to a remote access trojan called VajraSpy and found that distribution was mainly focused on users in India and Pakistan, with around 1,400 downloads total.

What researchers uncovered about the VajraSpy campaign

ESET’s probe discovered 12 of these malicious apps in all, six of which landed on Google Play ahead of being flagged. The Play-hosted apps were named Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafaqat رفاق and Chit Chat. After installation, the apps pushed VajraSpy modules that could carry out broad surveillance, including scraping messages from encrypted chat applications and live recording of ambient sounds.

• Privee Talk
• MeetMe
• Let’s Chat
• Quick Chat
• Rafaqat رفاق
• Chit Chat

One related app identified in this broader campaign, WaveChat, stood out for its ability to record background audio even without having been launched—illustrating how aggressively microphone permissions can be misused. The WhatsApp and Signal communication interception enabled with the tools usually involved exploiting Android’s Accessibility Services or notification access to read messages and capture what was on the target’s screen.

Though, for now, Play installs were constrained; the amount of Play capabilities was not. The spyware could also demand sensitive permissions and exfiltrate call logs, contacts, SMS messages, device metadata and files, then stream the data back to attacker-controlled servers. ESET believes the operation to be the work of Patchwork APT, a well-established group famous for social engineering and regional espionage.

Who was targeted in this campaign and how it worked

The operators in that instance, ESET says, relied on honey-trap techniques—posing as friendly chat partners and prodding targets to install “private” messaging apps outside of typical safety guardrails. There were some app store listings and developer information that seemed to be trying to ride the coattails of celebrity, with a name — Mohammad Rizwan — identical with a famous Pakistani cricketer (but not necessarily in common with anyone behind the campaign).

The geographic emphasis was obvious: Victims were predominantly in India and Pakistan. There is no evidence the campaign targeted users in the United States, but the surveillance method — lightweight chat apps uploaded to social networks and app stores and seeded with infection points that can be replicated anywhere — certainly could. ESET has previously reported on such spyware disguises, including lookalike apps impersonating the Signal app and targeting users in the United Arab Emirates.

What those Android chat apps could have accessed

Direct call recording runs into technical and policy barriers on modern Android versions, but spyware can still capture sensitive audio by turning on the microphone, steering the victim to speakerphone or simply making a continuous recording of ambient sound. Paired with Accessibility Services, such tools can read the text of incoming messages, scrape notifications and capture content displayed on screen.

VajraSpy’s permissions footprint resembled that of the common espionage kit: RECORD_AUDIO for audio capture; READ_CONTACTS and READ_SMS to produce a social graph; access to notifications and accessibility services for chat interception, and storage permissions for mining photos, documents, app data caches. Once those permissions are granted, attackers gain “incredible insight into the communications and activities of a person,” Robertson said.

Impact on users and questions for platform oversight

(The existence of any spyware in a mainstream app store raises predictable questions about vetting. Google’s Play Protect has steadily grown, adding real-time scanning for apps sideloaded from other sources and machine-learning testing for signs of misbehavior. The rate of the potentially harmful applications installed on devices that are limited to Play stores is now 0.1%, according to Google, which released its newer security reporting lately.)

Still, dedicated espionage apps are designed to be benign-looking, shrink their footprint and masquerade themselves as familiar categories such as dating and chat. It’s that camouflage, augmented by some social engineering outside the store, that lets these small actors do damage beyond their size — even if download counts are small.

How to check if your phone is affected and protect it

Look through your installed apps for developer names mentioned by the researchers, Privee Talk, MeetMe and Let’s Chat, Quick Chat [in Persian], Rafaqat رفاق, and Chit Chat. Should you find any, uninstall at once and run the Play Protect scan from the Play Store menu.

Look in Settings under “Review permissions,” then revoke microphone, accessibility, notification access and storage from apps that seriously don’t need it.

Especially noteworthy is any app given Accessibility Services: Many only make such requests as necessary, and very few chat apps ask for it.

Reset passwords for messaging and email accounts, and turn on 2-step verification. In WhatsApp and Signal, examine the active sessions and connected devices, and perhaps reset your security code with contacts you communicate with frequently. If you sideload apps, disable “Install unknown apps” in your browser and file managers.

Return the device to its original settings. If you feel that your phone has sustained significant damage, back up any important files and do a factory reset. Once it is restored, install apps from only trusted developers with long track records and clear privacy policies.

The bottom line on spyware hidden in chat apps

This campaign demonstrates how even when targets don’t fall for the false webmail site, conducting everyday tasks could still yield hundreds of conversations from popular chat applications. “This shows that a convincing chat app can also act as precision spyware in the wrong hands — secretly capturing user information and conversations without the user having any reason to suspect anything is out of the ordinary,” said Ronen Rabinovich, Phantom’s CEO. The download numbers are modest, but the skills are serious. A quick check of your applications and permissions is the best defense — and a reminder that categories you think of as familiar, like “messaging,” deserve extra consideration before you press install.