A dangerous Android malware campaign disguised as a “Cockroach Janta Party” mobile application is rapidly spreading across India through WhatsApp, Telegram channels, and unofficial APK download websites, according to a new warning issued by TraceX Labs.
Cybersecurity experts have classified the threat as “critical” after discovering that the fake application contains powerful spyware, banking malware, and remote access trojan (RAT) capabilities designed to secretly monitor infected smartphones and steal sensitive personal information.
Fake Political APK Being Used to Trap Android Users
Researchers say attackers are exploiting the viral “Cockroach Janta Party” online trend to trick users into installing a malicious Android APK outside the Google Play Store.
The malware campaign reportedly relies heavily on social engineering tactics, where users receive APK files through WhatsApp forwards, Telegram groups, and third-party Android app websites claiming to offer the trending app.
Security analysts clarified that the actual Cockroach Janta Party movement has no connection with the spyware campaign and is itself being misused by cybercriminals for malware distribution.
WhatsApp and Telegram Become Main Distribution Channels
According to the advisory, the malicious APK is being circulated through:
- WhatsApp file sharing
- Telegram communities and channels
- Fake APK download portals
- Third-party Android stores
- Social media trend-based campaigns
Researchers observed multiple cases where users were encouraged to install files named “Cockroach Janta Party.apk,” often presented as a viral entertainment or political app.
Experts warned that manually installing APK files from unknown sources can expose Android devices to severe security risks because such apps bypass Google’s official security verification systems.
Malware Requests Highly Sensitive Permissions
After installation, the fake app reportedly asks for several dangerous Android permissions that can provide attackers extensive control over the infected device.
These permissions include:
- SMS access
- Contacts permission
- Call log access
- Camera access
- Internal storage access
- Accessibility Services permission
Cybersecurity researchers highlighted Accessibility Services as one of the most dangerous permissions because it can allow malware to monitor everything displayed on-screen, capture OTPs, steal passwords, and even control banking apps without user knowledge.
Spyware Can Steal OTPs, Photos, Banking Data, and Documents
During reverse engineering analysis, TraceX Labs reportedly identified advanced spyware modules embedded within the APK.
The malware is capable of:
- Reading and forwarding SMS messages
- Capturing banking OTPs
- Stealing contacts and call history
- Monitoring installed banking applications
- Accessing photos and media files
- Collecting stored documents
- Gathering device information
- Performing silent background surveillance
Researchers discovered suspicious internal components including:
- AccessibilityServiceStub.smali
- SmsForward.smali
- TelegramC2.smali
- ProcessMonitor.smali
Experts say these modules indicate a highly sophisticated Android surveillance and financial fraud operation.
Telegram Infrastructure Helps Malware Avoid Detection
One of the most concerning findings from the investigation is the malware’s use of Telegram Bot API infrastructure for command-and-control communication.
Security researchers explained that attackers are leveraging Telegram’s encrypted traffic to hide malicious activity inside normal HTTPS network communication, making the spyware more difficult to detect through traditional monitoring tools.
The malware can reportedly transmit:
- SMS data and OTP codes
- Contact lists
- Call records
- Photos and videos
- Device identifiers
- SIM card information
- Installed app details
Experts warned that infected users could face unauthorized banking transactions, identity theft, financial fraud, and serious privacy violations.
Indian Smartphone Users Are Primary Targets
TraceX Labs researchers believe the malware campaign is mainly targeting Indian Android users. During analysis, investigators reportedly found references linked to Indian telecom networks, including Reliance Jio, embedded within the spyware code.
The malware is said to affect Android devices running Android 8 to Android 14 and spreads mainly through side-loaded APK installations rather than official app stores.
How Android Users Can Stay Safe
Cybersecurity experts are advising users to take immediate precautions to avoid infection.
Recommended safety measures include:
- Install apps only from the Google Play Store
- Avoid APK files received on WhatsApp or Telegram
- Keep Google Play Protect enabled
- Disable “Install Unknown Apps”
- Review app permissions carefully
- Never grant Accessibility access to unknown apps
- Use authenticator apps instead of SMS OTPs for banking
Users who may have installed suspicious APKs are advised to uninstall them immediately, revoke Accessibility permissions, reset passwords using another trusted device, and monitor bank accounts for suspicious transactions.
Researchers warned that malware campaigns using viral internet trends and political branding are becoming increasingly common, making mobile cybersecurity awareness essential for Android users in India.
