{
	"id": "d73bde52-e0f0-4bb8-b6b3-b3337fb26d57",
	"created_at": "2026-04-29T02:21:05.40562Z",
	"updated_at": "2026-04-29T10:18:32.807546Z",
	"deleted_at": null,
	"sha1_hash": "c0ef0679ef698f79f244acf1a690025b958b054c",
	"title": "VajraSpy – An Android RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 238502,
	"plain_text": "VajraSpy – An Android RAT\r\nPublished: 2022-04-19 · Archived: 2026-04-29 02:05:13 UTC\r\nCollecting high profile users’ private information is the trend in recent times. We came across a twitter post that\r\ndescribed one such incident involving VajraSpy, an Android RAT that uses a designated Google Cloud Storage to\r\nstore the data stolen from the user. VajraSpy is used by APT-Q-43 (#VajraEleph) group targeting Pakistani military\r\npersonnel.  VajraSpy appeared new and it disguises itself as a chat app called “Crazy Talk”. \r\nLet’s get into the details of how this VajraSpy works. \r\nUnzipping the CrazyTalk.apk sample showed that this is a Spy and includes more than one classes.dex as shown\r\nin Figure 1 and the other classes.dex files are loaded using Multidex support.\r\nFigure 1: Spy with many classes.dex\r\nThis malware uses Firebase cloud Storage to store the data collected from a compromised device. \r\nAnalysis starts with the MainActivity of classes2.dex, the app’s entry point. MainActivity’s onCreate() function\r\nconfirms that the app has “Notification Access” and “Accessibility Service” allowed and collects  the Firebase\r\nhttps://labs.k7computing.com/index.php/vajraspy-an-android-rat/\r\nPage 1 of 5\n\nCloud Messaging (FCM) token as shown in Figure 2. \r\nFigure 2: onCreate() confirming Notification Access and Accessibility Service\r\nThis app “CrazyTalk” impersonates a chat app and requests for the permissions as shown in Figure 3.\r\nFigure 3: Permissions requested by the malware\r\nhttps://labs.k7computing.com/index.php/vajraspy-an-android-rat/\r\nPage 2 of 5\n\nThis malware initializes the Firebase Storage as shown in Figure 4.\r\nFigure 4: Firebase Storage initialization\r\nAfter the FirebaseStorage initialization, this app collects the victim’s personal information by initiating an instance\r\nof the StorageReference object as shown in Figure 5. \r\nFigure 5: StorageReference initialization to upload collected victim’s information\r\nAs shown in Figure 5, “putBytes()” function uploads the data (in our case here, it is contacts.json) to the Firebase\r\nStorage via the StorageReference object. \r\nIn addition to the above contacts.json, this malicious app also collects other user data like SMS messages, call\r\nlogs, WhatsApp (including business accounts) messages, Signal app messages, device details, apps listed from the\r\nvictims’ device as shown in Figure 6.\r\nhttps://labs.k7computing.com/index.php/vajraspy-an-android-rat/\r\nPage 3 of 5\n\nFigure 6: Collecting WhatsApp Business account and Signal app messages in JSON format\r\nWhatsApp or WhatsAppBusiness or Signal messages are collected from a victim’s device and stored in a\r\ndesignated table in the SQLite DB  which is then uploaded to the designated Firebase Cloud Storage as shown in\r\nFigures 7, 8 and 9. \r\nFigure 7: Collecting WhatsAppBusiness messages\r\nhttps://labs.k7computing.com/index.php/vajraspy-an-android-rat/\r\nPage 4 of 5\n\nFigure 8: Uploading collected WhatsApp messages metadata to entrywb table in FeedReaderwb.db\r\nFigure 9: WAB.json array creation from entrywb table in FeedReaderwb.db\r\nOne of the common ways to curtail the activity of a Spyware or any malware includes the detection of “C2” or the\r\n“URL” which the malware communicates to. Affirming the maliciousness of such applications that communicates\r\nand copies the user’s data to a legitimate hosting service or a server using the standard protocols and  frameworks,\r\nbecomes a knotty procedure. In recent times, Android malware’s poisoning of available standard frameworks and\r\nglobally accepted services for malicious purposes is increasing. Users of “K7 Mobile Security” are protected\r\nagainst VajraSpy.\r\nIndicators of Compromise (IoCs)\r\nMD5: 0C980F475766F3A57F35D19F44B07666\r\nDetection name: Spyware ( 005893111 )\r\nSource: https://labs.k7computing.com/index.php/vajraspy-an-android-rat/\r\nhttps://labs.k7computing.com/index.php/vajraspy-an-android-rat/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/vajraspy-an-android-rat/"
	],
	"report_names": [
		"vajraspy-an-android-rat"
	],
	"threat_actors": [],
	"ts_created_at": 1777429265,
	"ts_updated_at": 1777457912,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c0ef0679ef698f79f244acf1a690025b958b054c.pdf",
		"text": "https://archive.orkl.eu/c0ef0679ef698f79f244acf1a690025b958b054c.txt",
		"img": "https://archive.orkl.eu/c0ef0679ef698f79f244acf1a690025b958b054c.jpg"
	}
}