Cockroach Janta Party Malware APK Targets Android Users Through WhatsApp and Telegram, Warns TraceX Labs

Indian cybersecurity company TraceX Labs has issued a public security advisory warning Android users about a dangerous malware campaign involving a fake “Cockroach Janta Party” mobile application. According to the company’s threat intelligence report, the malicious APK is actively being distributed through WhatsApp, Telegram groups, and unofficial APK download websites to infect Android devices and steal sensitive personal information.

Researchers at TraceX Labs identified the fake application as a sophisticated Android Remote Access Trojan (RAT), spyware, and banking malware capable of intercepting OTPs, monitoring user activity, stealing contacts and SMS messages, accessing call logs, and collecting files stored on infected smartphones. The company classified the threat severity as “CRITICAL” because of the malware’s extensive surveillance and data theft capabilities.

Malware Campaign Exploits Viral “Cockroach Janta Party” Trend

According to the advisory, cybercriminals are exploiting the growing popularity of the viral “Cockroach Janta Party” internet movement to socially engineer users into downloading the malicious APK. TraceX Labs clarified that the legitimate Cockroach Janta Party has no connection to the malware and is itself a victim of impersonation by threat actors.

The malware is reportedly spreading through multiple channels, including:

• WhatsApp APK sharing
• Telegram groups and channels
• Fake APK download websites
• Third-party Android app stores
• Social engineering campaigns targeting Gen Z users

The report includes evidence showing the fake “Cockroach Janta Party.apk” being shared directly in WhatsApp chats and Telegram communities as a downloadable Android application.

Dangerous Android Permissions Requested

Once installed, the malicious application requests several high-risk Android permissions, including:

• SMS access
• Contacts access
• Call log permissions
• Camera permissions
• Storage access
• Accessibility Service permissions

TraceX Labs warned that the Accessibility Service permission is particularly dangerous because it allows attackers to silently monitor screen activity, capture OTPs and passwords, bypass Android security prompts, perform automated gestures, and interact with banking applications in the background without the user’s knowledge.

Researchers noted that abuse of Android Accessibility Services has become increasingly common in banking trojans and mobile spyware because it provides attackers with broad control over infected devices.

Reverse Engineering Revealed Advanced Spyware Modules

The Indian cybersecurity firm conducted a detailed reverse engineering investigation of the APK using malware analysis and decompilation tools. The analysis uncovered multiple embedded spyware components designed for long-term surveillance and credential theft.

According to the report, the malware includes capabilities related to:

• SMS interception and OTP forwarding
• Contact and call history theft
• Device fingerprinting
• File and gallery theft
• Banking application monitoring
• Background surveillance operations
• Process and network activity monitoring

Researchers identified several malicious modules inside the APK, including SmsForward.smali, TelegramC2.smali, AccessibilityServiceStub.smali, and ProcessMonitor.smali, indicating highly invasive spyware functionality.

Telegram Used as Command-and-Control Infrastructure

TraceX Labs also revealed that the malware uses Telegram’s Bot API infrastructure as its command-and-control (C2) communication channel. By blending malicious traffic with legitimate Telegram and Google HTTPS traffic, attackers can make detection significantly more difficult during standard network monitoring.

According to the advisory, the spyware is capable of exfiltrating:

• SMS messages and banking OTPs
• Contacts and call history
• Photos and videos
• Documents and stored files
• Device identifiers and SIM information
• Banking-related data
• Running application details

The report warns that victims may face identity theft, unauthorized banking access, financial fraud, and major privacy risks if infected.

Indian Android Users Primary Target

The investigation suggests that Indian Android users are the primary target of the malware campaign. Researchers discovered hardcoded references to India and Reliance Jio within the spyware’s codebase, indicating that attackers may specifically be targeting Indian mobile users.

The malware reportedly affects Android devices running Android 8 through Android 14 and spreads mainly through side-loaded APK installations that bypass Google Play Store protections.

TraceX Labs Issues Security Recommendations

TraceX Labs advised Android users to install applications only from trusted sources such as the Google Play Store and avoid APK files shared through WhatsApp, Telegram, or unknown websites.

The company also recommended users:

• Keep Google Play Protect enabled
• Avoid enabling “Install from Unknown Sources”
• Carefully review app permissions before granting access
• Never grant Accessibility permissions to unknown apps
• Use authenticator apps instead of SMS-based OTP authentication

Users who suspect infection are advised to immediately uninstall suspicious applications, disable Accessibility permissions, reset passwords from another trusted device, and monitor banking accounts for unusual activity.

TraceX Labs emphasized that Android malware campaigns are increasingly exploiting viral internet trends, political branding, and social engineering techniques to infect users, making cybersecurity awareness and safe mobile practices more important than ever.