A dangerous Android malware campaign disguised as a “Cockroach Janta Party” mobile application is actively targeting smartphone users in India, according to a new security advisory released by TraceX Labs.
Researchers warned that the fake application is not linked to any official organization or political movement but is instead a sophisticated Android spyware and Remote Access Trojan (RAT) designed to steal sensitive personal and financial information from infected devices.
The malware campaign is reportedly spreading rapidly through WhatsApp, Telegram groups, unofficial APK download websites, and social engineering campaigns exploiting trending online discussions and viral internet culture.
Malware Being Shared Through WhatsApp and Telegram
According to the investigation, cybercriminals are distributing the malicious APK file through multiple unofficial channels, including:
- WhatsApp APK sharing
- Telegram groups and channels
- Fake Android app download pages
- Third-party APK websites
- Politically themed social engineering campaigns
Researchers explained that attackers are using the viral popularity of the “Cockroach Janta Party” trend to gain user trust and convince Android users to manually install the application outside the Google Play Store.
Since the app is not available on official app marketplaces, victims are often required to enable Android’s “Install from Unknown Sources” option, bypassing Google Play security protections.
Cybersecurity experts noted that side-loaded APK files remain one of the biggest infection vectors for Android spyware and banking trojans.
Dangerous Permissions Give Attackers Deep Device Access
One of the most serious findings highlighted in the advisory is the number of high-risk permissions requested by the fake app after installation.
According to researchers, the spyware requests access to:
- SMS messages
- Contacts
- Call logs
- Camera
- Device storage
- Accessibility Services
Security analysts warned that granting these permissions can provide attackers near-complete control over an infected device.
The report specifically highlighted the abuse of Android Accessibility Services, which can allow malware to:
- Read on-screen content including OTPs and passwords
- Monitor banking applications
- Capture sensitive financial information
- Perform automated taps and gestures
- Interact with apps silently in the background
- Bypass Android security warnings
Researchers say accessibility abuse has become increasingly common in Android banking malware because it allows cybercriminals to monitor and manipulate user activity without requiring advanced exploits.
Reverse Engineering Reveals Advanced Spyware Capabilities
TraceX Labs conducted a detailed reverse engineering analysis of the APK using Android malware analysis and decompilation tools.
The investigation uncovered several embedded spyware modules capable of:
- SMS interception and OTP forwarding
- Contact and call history theft
- Device fingerprinting
- Gallery and photo theft
- File collection from storage
- Banking app monitoring
- Process and network activity monitoring
- Continuous background surveillance
Researchers stated that the malware appears specifically designed for credential theft, financial fraud, and long-term surveillance operations.
The report also revealed that the spyware communicates continuously with remote infrastructure while blending malicious traffic with legitimate encrypted internet activity, making detection significantly more difficult during normal network monitoring.
Telegram Infrastructure Used for Command-and-Control Activity
According to the advisory, the malware uses Telegram Bot API infrastructure as part of its command-and-control (C2) operations.
Cybersecurity researchers explained that this technique helps attackers hide malicious communication inside regular Telegram and HTTPS traffic, reducing the chances of detection by security systems.
The spyware can reportedly steal and transmit:
- SMS messages and banking OTPs
- Contacts and call logs
- Photos and media files
- Stored documents
- Device identifiers
- SIM card information
- Running application data
Experts warned that infected users may face identity theft, unauthorized banking transactions, account compromise, and major privacy risks.
Indian Android Users Main Target of Campaign
Researchers believe the campaign is primarily targeting Indian Android users. During malware analysis, investigators reportedly discovered references related to India and Reliance Jio embedded inside the spyware code.
The malware is said to affect Android smartphones running Android 8 through Android 14 and mainly spreads through APK installations from unofficial sources rather than the Google Play Store.
Safety Recommendations for Android Users
Cybersecurity experts advised users to take immediate precautions to protect their devices from spyware infections.
Recommended safety measures include:
- Download apps only from trusted sources like the Google Play Store
- Avoid APK files shared via WhatsApp or Telegram
- Keep Google Play Protect enabled
- Disable “Install from Unknown Sources”
- Carefully review app permissions
- Never grant Accessibility permissions to unknown apps
- Use authenticator apps instead of SMS-based OTP verification
Users who suspect infection are advised to uninstall suspicious applications immediately, revoke Accessibility permissions, reset passwords using another trusted device, and monitor banking accounts for suspicious activity.
Researchers warned that Android spyware campaigns are becoming increasingly sophisticated as cybercriminals continue exploiting viral trends, political branding, and social engineering tactics to target users at scale.
SOURCE- https://tracexlabs.com/reports/cockroach-janta-party-malware-threat-report-2026.html
