Fake Cockroach Janta Party APK Shows Malware’s New Bait

The fake Cockroach Janta Party APK is an Android Package Kit (APK, the file format used to install Android apps) and a political-themed malware lure, not a party app. The file is roughly 5 MB, and TraceX Labs, a cybersecurity research firm, says it is an active remote access trojan, spyware and banking trojan spread through WhatsApp, Telegram groups and a spoof downloader page.

The sharper risk sits in trust laundering. A name moving through familiar chats can make a dangerous permission screen feel like campaign housekeeping, and the May 22, 2026 advisory says one grant, Accessibility, can expose one-time passwords, bank details and on-screen activity.

The Lure Came Through Chats, Not an App Store

The public record begins with a file, Cockroach Janta Party.apk, moving outside the normal app-store path. The May 22 threat intelligence report classifies the campaign as critical, active and aimed at people likely to trust a viral political name.

That route matters. A Play Store listing has developer identity, reviews, automatic scanning and takedown pressure. A forwarded installer has a chat sender, a promise and the user’s own tap. The malicious package used the fraudulent package name Cockroach.Janta.Party, according to the report, while the real group was being impersonated.

The numbers are small enough to feel harmless, which is part of the danger.

• 5 MB approximate file size, which makes the installer easy to forward in chat groups.
• Android 8.0 to Android 14 reported target range in the technical summary.
• 3 confirmed channels listed by researchers: WhatsApp sharing, Telegram groups and a fake downloader site.
• Critical threat level assigned in the public advisory.

Permissions Turned the Phone Into the Target

The dangerous part sits behind the permission sequence. A political updates app should need a narrow set of powers: maybe notifications, internet access and storage for downloaded material. This sample asked for SMS, call logs, contacts, camera, storage and an accessibility service.

Android Accessibility is powerful by design. Google’s official Android AccessibilityService reference says such services run in the background, receive user-interface events and can request the ability to query the active window. That is useful for people who need assistance using a phone. In hostile hands, the Accessibility permission can become screen reading and automated tapping.

Google also treats SMS and call log access as high-risk. Its SMS and call log permission policy says developers should use those permissions only for permitted core functions and must declare qualifying uses through Play Console.

Put those controls together and the fake app’s request pattern tells a simple story. It was built to make the phone itself the source of value, not to deliver campaign news.

Telegram Became the Command Channel

The report’s most important network claim is command and control (C2, attacker infrastructure used to send instructions and receive stolen data). Researchers identified a TelegramC2.smali module, along with hardcoded bot credentials and a chat ID. The sample also mixed its network activity with Google and chat-service traffic, which can make first-stage detection harder for defenders watching ordinary encrypted flows.

The official Bot documentation describes an application programming interface (API, a software path for programs to talk to a service) over Hypertext Transfer Protocol Secure (HTTPS, encrypted web traffic). That design helps legitimate developers build bots quickly. Malware operators like it for the same reason: it is cheap, familiar and sits on infrastructure many networks already allow.

This case fits a pattern seen in other chat-centered schemes. Our earlier coverage of Mini Apps fraud pushing Android malware showed how attackers borrow familiar messaging surfaces, then shift victims toward downloads or payment flows. The social setting lowers suspicion before the code ever runs.

India Sits in the Code Path

The code points hard toward India. The report says a SIM module contained fallback values for the country code in and the operator name Reliance Jio. That does not prove every target used that carrier, but it does show the attacker expected Indian devices to be in scope.

The wider phone-threat market makes that believable. Zscaler’s 2025 mobile threat report summary said Android malware transactions rose 67% year-over-year and that India accounted for 26% of observed mobile attack activity. Kaspersky’s mobile banker malware release said Trojan banker attacks on Android smartphones increased 56% in 2025, with 255,090 new installation packages detected.

The party has NOT released any mobile application.

That sentence appears in the advisory’s final statement. It matters because the legitimate political group is also a victim here. Brand impersonation creates two harms at once: users lose data or money, and a public name is dragged into malware warnings it did not cause.

The User Fix Starts Before Uninstall

If the app is on a phone, the first job is to cut its reach without giving it more chances to act. The report’s user advice is practical: remove the app, check accessibility settings, reset banking passwords from a different device and review financial activity.

1. Open Settings > Apps and look for the suspicious app or the package Cockroach.Janta.Party.
2. Open Settings > Accessibility > Installed Services and turn off any matching or suspicious service before removal.
3. Uninstall the app, then restart the phone.
4. Reset banking, wallet, email and social passwords from another device that was not infected.
5. Where possible, switch from SMS codes to an authenticator app for two-factor authentication (2FA, a second login proof after the password).
6. Check bank statements and wallet activity, then contact the bank immediately if anything looks wrong.

For users who did not install the file, the best move is boring: do not sideload campaign, banking or giveaway apps from chat links. Google’s Play Protect help page says the service checks apps from Google Play and other sources, warns about harmful apps and may remove or deactivate them.

Still, no scanner makes a forwarded installer safe by default. The warning screen is not paperwork. It is the last place a user can stop a chat rumor from becoming a device compromise.

Defenders Need Indicators, Not Another Warning Poster

The organizational version of this story is less about awareness posters and more about indicators of compromise (IOC, technical clues defenders use to find or block a threat). A security team can use the file hash, package name, domain, suspicious permission set and traffic pattern to look for infected phones or attempted downloads.

The full PDF report indicator section lists the Secure Hash Algorithm 256-bit (SHA256, a file fingerprint used to identify the sample) value and network clues. Teams should avoid copying attacker bot tokens into public tickets unless the ticket is access-controlled, since those values can be sensitive operational data.

• Hash: feb27289458d91f8a98e252b1199387fb2fa68a5631db08d14ec7e8f0964473d.
• Package: Cockroach.Janta.Party.
• Domain to block or monitor: cockroachjantaparty[.]org.
• Behavior to watch: unknown Android device sending unusual bot-style HTTPS traffic after requesting SMS, call log and Accessibility access.

The behavior also maps cleanly to known mobile attack techniques. MITRE’s mobile ATT&CK technique catalog includes abuse of accessibility features, SMS collection, call-log collection, contacts collection and application-layer protocols for command channels.

For workplace teams, the risk is not limited to personal phones. A compromised handset can hold work email, authenticator prompts, customer contacts and internal chat history. If employees use personal devices for work, this campaign belongs in mobile device policy, not just in a consumer safety note.

The Name Was the Weak Point

The campaign’s most useful trick was the name. A phone can show permission warnings, scanners can flag known hashes and defenders can block a domain. But a familiar political joke or movement traveling through a trusted group chat can still push a user into manual installation.

That same social muscle shows up in lighter forms too. In earlier coverage of a fake Facebook privacy notice hoax, the damage came from people copying a familiar warning before checking it. The app case carries higher stakes because the user is not just sharing bad information. The user is handing over the phone.

Google’s own Android app safety update said Play Protect now scans over 350 billion apps daily and identified more than 27 million new malicious apps from outside Google Play in 2025. Those numbers show how large the outside-store problem has become, even before a viral political brand gets attached to a file.

If users treat a forwarded installer as an app, the next lure needs only a louder name. If group admins kill the file before it leaves the chat, the campaign becomes an IOC instead of a bank-fraud story.

Disclaimer: This article is for informational purposes only. Malware response, banking security and account recovery steps can vary by device, bank and local law. Consult your bank, a qualified cybersecurity professional or relevant authorities before acting on high-risk account or forensic issues. Figures and indicators are accurate as of publication.