VajraSpy
VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan. [1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1453 | Abuse Accessibility Features |
VajraSpy has exploited accessibility features to intercept and exfiltrate communication from WhatsApp, WhatsApp Business and Signal and to automatically enable necessary permissions on the user’s behalf.[1] |
|
| Mobile | T1517 | Access Notifications |
VajraSpy has monitored and exfiltrated notifications from messaging applications and from SMS messages.[1] |
|
| Mobile | T1429 | Audio Capture |
VajraSpy has recorded surrounding audio and phone calls from WhatsApp, WhatsApp Business, Signal, and Telegram by requesting |
|
| Mobile | T1616 | Call Control |
VajraSpy has requested for |
|
| Mobile | T1533 | Data from Local System |
VajraSpy has collected files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.[1] VajraSpy has also requested for |
|
| Mobile | T1639 | .001 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
VajraSpy has used Retrofit, an HTTP client for Android, to upload unencrypted data to the C2 server via HTTP.[1] |
| Mobile | T1646 | Exfiltration Over C2 Channel |
VajraSpy has exfiltrated captured data to C2 via POST requests.[1] |
|
| Mobile | T1420 | File and Directory Discovery |
VajraSpy has searched for files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.[1] |
|
| Mobile | T1417 | .001 | Input Capture: Keylogging | |
| Mobile | T1430 | Location Tracking |
VajraSpy has exfiltrated the device’s location.[1] VajraSpy has also requested for |
|
| Mobile | T1461 | Lockscreen Bypass |
VajraSpy has requested for |
|
| Mobile | T1655 | Masquerading |
VajraSpy has masqueraded as messaging and news applications.[1][3] |
|
| Mobile | T1660 | Phishing |
VajraSpy has used a romance trap scam to convince victims into downloading the trojanized application.[1] |
|
| Mobile | T1636 | .002 | Protected User Data: Call Log | |
| .003 | Protected User Data: Contact List |
VajraSpy has collected and exfiltrated the contact list.[1][3] |
||
| .004 | Protected User Data: SMS Messages | |||
| .005 | Protected User Data: Accounts |
VajraSpy has requested for |
||
| Mobile | T1418 | Software Discovery |
VajraSpy has obtained and exfiltrated a list of installed applications.[1][3] |
|
| Mobile | T1409 | Stored Application Data |
VajraSpy has collected messages in WhatsApp, WhatsApp Business, and Signal.[1][3] |
|
| Mobile | T1426 | System Information Discovery |
VajraSpy has requested for |
|
| Mobile | T1422 | .002 | System Network Configuration Discovery: Wi-Fi Discovery | |
| Mobile | T1512 | Video Capture |
VajraSpy has captured pictures using the device’s camera by requesting for |
|
| Mobile | T1481 | .002 | Web Service: Bidirectional Communication |
VajraSpy has used Firebase and Google Cloud Storage to send and receive C2 communications and to send collected data.[1][3] |
Groups That Use This Software
References
- Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.
- ArcticWolf. (2025, July 23). Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode. Retrieved November 3, 2025.