S9006: VajraSpy
VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.[1][2][3]
Analyst context for executives and security teams
VajraSpy matters because it represents a mobile espionage risk on Android devices, delivered through trojanized messaging and news apps, including Google Play, malicious domains, and other uncontrolled distribution channels. For leaders, the practical issue is not only malware removal; it is whether the organization can govern mobile app sources, permissions, and high-risk user devices well enough to prevent collection of contacts, SMS, call logs, location, audio, video, account data, and local files.
Executive priority
Prioritize VajraSpy as a mobile security, identity, and incident-readiness concern where Android devices are used for sensitive work, executive communications, diplomatic/government activity, or access to corporate accounts. The supplied ATT&CK context ties VajraSpy to targeted espionage activity and high-confidence attribution to Patchwork, so executives should ask whether mobile device management, app approval, permission review, and mobile IR procedures produce auditable evidence—not just policy statements.
Technical view
SOC and IR teams should validate Android visibility around app provenance, package identity, masquerading behavior, permission grants, accessibility abuse, notification access, and outbound communications. Relationship context shows VajraSpy using techniques for stored app data, keylogging, software/file/system/Wi-Fi discovery, audio/video capture, location tracking, call control, contact/SMS/call-log/account collection, local data collection, C2, and exfiltration. Because ATT&CK provides no official detection text, teams should treat this as a coverage-validation exercise across mobile EDR/MDM, network, identity, and user-reporting sources.
Likely telemetry
- Android MDM/UEM inventory: installed apps, package names, signing certificates, install source, version, and compliance state
- App permission and runtime grant data, especially accessibility, notification access, microphone, camera, location, SMS, contacts, phone, and account-related permissions
- Mobile threat defense or endpoint alerts for trojanized apps, masquerading, risky sideloading, or suspicious app behavior
- Network telemetry from mobile devices, including DNS, HTTP/HTTPS destinations, unusual unencrypted transfer, and recurring command-and-control-like communications
- Device and app data-usage patterns that may indicate collection or exfiltration
Detection direction
- Confirm whether the SOC can distinguish managed-store installs from sideloaded or uncontrolled distribution channels; do not assume Google Play provenance alone is sufficient because the supplied description includes Google Play delivery.
- Tune for combinations of risk rather than single permissions: a messaging or news app requesting broad access to accessibility, notifications, SMS, contacts, microphone, camera, location, call controls, and accounts is more meaningful than any one permission alone.
- Correlate app masquerading indicators with software discovery, file/directory discovery, system information discovery, and collection of local, contact, SMS, call-log, and account data.
- Review network analytics for mobile apps that communicate with unusual external services or exfiltrate over C2 channels or unencrypted non-C2 protocols, while accounting for normal messaging/news app traffic to reduce false positives.
- Validate whether mobile telemetry is actually forwarded to the SIEM and retained long enough for IR; many organizations have desktop-class logging but weak mobile evidence.
Mitigation priorities
- Enforce managed Android enrollment for devices accessing sensitive business resources, with app inventory, compliance checks, and remote response capability.
- Restrict sideloading and uncontrolled app sources where business requirements allow; require approval for messaging and news applications used on managed devices.
- Implement periodic review of high-risk Android permissions and accessibility/notification access grants, especially for apps outside the approved baseline.
- Harden identity flows for high-risk users by reducing dependence on SMS or notification-delivered one-time codes where feasible, since related techniques include SMS and notification access.
- Prepare mobile IR procedures that cover device isolation, evidence preservation, app/package review, permission timeline reconstruction, and account-risk review after suspected compromise.
Analyst notes and limits
ATT&CK identifies VajraSpy as Android malware distributed through trojanized messaging and news applications and states it has been used to target individuals in Pakistan and India since at least 2021. The object is attributed with high confidence to Patchwork and has many technique relationships describing mobile collection, discovery, capture, C2, exfiltration, masquerading, phishing, and abuse of Android features. This take translates those relationships into defensive validation priorities; it does not assert that any specific organization is affected.
MITRE provides no official detection guidance and no tactics are specified for this object. Detection and mitigation recommendations therefore depend on local Android management, mobile security tooling, network visibility, identity architecture, and business policy. External reference details were not expanded beyond the supplied citations and relationship context.
VajraSpy
VajraSpy is Android malware distributed via trojanized messaging and news applications. It has been used to target individuals in Pakistan and India since at least 2021 and has been delivered through the Google Play Store, malicious domains, and other uncontrolled distribution channels. VajraSpy is attributed with high confidence to Patchwork which has used the malware to conduct targeted espionage, primarily against devices in Pakistan.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1639.001 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | VajraSpy has used Retrofit, an HTTP client for Android, to upload unencrypted data to the C2 server via HTTP.CitationESET_VajraSpy_Feb2024 |
| Mobile | T1453 | Abuse Accessibility Features | VajraSpy has exploited accessibility features to intercept and exfiltrate communication from WhatsApp, WhatsApp Business and Signal and to automatically enable necessary permissions on the user’s behalf.CitationESET_VajraSpy_Feb2024 |
| Mobile | T1636.002 | Call Log Sub-technique | VajraSpy has collected and exfiltrated the call log.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1429 | Audio Capture | VajraSpy has recorded surrounding audio and phone calls from WhatsApp, WhatsApp Business, Signal, and Telegram by requesting `android.permission.RECORD_AUDIO`.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1430 | Location Tracking | |
| Mobile | T1426 | System Information Discovery | VajraSpy has requested for `android.permission.READ_PHONE_STATE` to collect information about the device.CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1461 | Lockscreen Bypass | VajraSpy has requested for `android.permission.DISABLE_KEYGUARD` to disable the device lock screen password.CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1420 | File and Directory Discovery | VajraSpy has searched for files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.CitationESET_VajraSpy_Feb2024 |
| Mobile | T1636.005 | Accounts Sub-technique | VajraSpy has requested for `android.permission.GET_ACCOUNTS`.CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1636.004 | SMS Messages Sub-technique | VajraSpy has collected and exfiltrated SMS messages.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1517 | Access Notifications | VajraSpy has monitored and exfiltrated notifications from messaging applications and from SMS messages.CitationESET_VajraSpy_Feb2024 |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | VajraSpy has scanned for Wi-Fi networks.CitationESET_VajraSpy_Feb2024 |
| Mobile | T1636.003 | Contact List Sub-technique | VajraSpy has collected and exfiltrated the contact list.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1512 | Video Capture | VajraSpy has captured pictures using the device’s camera by requesting for `android.permission.CAMERA`.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1409 | Stored Application Data | VajraSpy has collected messages in WhatsApp, WhatsApp Business, and Signal.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1660 | Phishing | VajraSpy has used a romance trap scam to convince victims into downloading the trojanized application.CitationESET_VajraSpy_Feb2024 |
| Mobile | T1655 | Masquerading | VajraSpy has masqueraded as messaging and news applications.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1481.002 | Bidirectional Communication Sub-technique | VajraSpy has used Firebase and Google Cloud Storage to send and receive C2 communications and to send collected data.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1616 | Call Control | VajraSpy has requested for `android.permission.CALL_PHONE`.CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1646 | Exfiltration Over C2 Channel | VajraSpy has exfiltrated captured data to C2 via POST requests.CitationESET_VajraSpy_Feb2024 |
| Mobile | T1417.001 | Keylogging Sub-technique | VajraSpy has logged keystrokes of an infected device.CitationESET_VajraSpy_Feb2024 |
| Mobile | T1418 | Software Discovery | VajraSpy has obtained and exfiltrated a list of installed applications.CitationESET_VajraSpy_Feb2024CitationK7Dhanalakshmi_VajraSpy_April2022 |
| Mobile | T1533 | Data from Local System | VajraSpy has collected files with specific extensions, such as .txt, .jpg, .Om4a, .aac and .opus, before exfiltration.CitationESET_VajraSpy_Feb2024 VajraSpy has also requested for `android.permission.WRITE_EXTERNAL_STORAGE` and `android.permission.READ_EXTERNAL_STORAGE`.CitationK7Dhanalakshmi_VajraSpy_April2022 |
Groups, software, and campaigns
G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4cfcd337d5c0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET_VajraSpy_Feb2024
Stefanko, L. (2024, February 1). VajraSpy: A Patchwork of espionage apps. Retrieved October 27, 2025.
Open source URL -
[2]
ArcticWolf_DroppingElephant_July2025
ArcticWolf. (2025, July 23). Dropping Elephant APT Group Targets Turkish Defense Industry With New Campaign and Capabilities: LOLBAS, VLC Player, and Encrypted Shellcode. Retrieved November 3, 2025.
Open source URL -
[3]
K7Dhanalakshmi_VajraSpy_April2022
Dhanalakshmi. (2022, April 19). VajraSpy – An Android RAT. Retrieved November 5, 2025.
Open source URL -
[4]
mitre-attack S9006Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.