Wednesday, 2 April 2025
24.1 C
Singapore
31.1 C
Thailand
21.9 C
Indonesia
26.8 C
Philippines

ESET Research discovers eXotic Visit campaign, targeted attack via fake messaging apps, available on web and Google Play

ESET researchers discover an Android spyware campaign, eXotic Visit, using apps posing as messengers to target users in India and Pakistan.

ESET researchers have discovered an active espionage campaign targeting Android users with apps primarily posing as messaging services. While these apps offer functional services as bait, they are bundled with the open-source XploitSPY malware. ESET has named this campaign eXotic Visit and has tracked its activities from November 2021 through to the end of 2023. The targeted campaign has been distributing malicious Android apps through dedicated websites and, for a period of time, through the Google Play store as well. Because of the targeted nature of the campaign, the apps available on Google Play had a low number of installs; all of them have been removed from the store. In this likely targeted attack, the eXotic Visit campaign appears to primarily target a select group of Android users in Pakistan and India. There is no indication that this campaign is linked to any known group; however, ESET is tracking the threat actors behind it under the moniker Virtual Invaders.

Apps that contain XploitSPY can extract contact lists and files; extract the deviceโ€™s GPS location; and extract the names of files listed in specific directories related to the camera, downloads, and various messaging apps such as Telegram and WhatsApp. If certain filenames are deemed to be of interest, they can subsequently be extracted from these directories via an additional command from the command and control (C&C) server. Interestingly, the implementation of the chat functionality integrated with XploitSPY is unique; we strongly believe that this chat function was developed by the Virtual Invaders group.

The malware also uses a native library, which is often used in Android app development for improving performance and accessing system features. However, in this case, the library is used to hide sensitive information, like the addresses of the C&C servers, making it harder for security tools to analyze the app.

The apps โ€“ Dink Messenger, Sim Info, and Defcom โ€“ were taken down from Google Play; moreover, as a Google App Defense Alliance partner, ESET identified ten additional apps that contain code that is based on XploitSPY and shared its findings with Google. Following the ESET alert, the apps were removed from the store. Each of the apps had a low number of installs, suggesting a targeted approach rather than a broad strategy. Overall, around 380 victims have downloaded the apps from websites and Google Play store and created accounts to use their messaging functionality. Because of the targeted nature of the campaign, the number of installs of each app from Google Play is relatively low โ€“ between zero and 45.

ESET has identified the malicious code used as a customised version of the open-source Android RAT, XploitSPY. It is bundled with legitimate app functionality, most of the time being a fake, but functioning, messaging application. The campaign has evolved over the years to include obfuscation, emulator detection, and hiding of C&C addresses.

XploitSPY is widely available, and customised versions have been used by multiple threat actors such as the Transparent Tribe APT group, as documented by Meta. However, the modifications found in the apps are distinctive and differ from those in previously documented variants of the XploitSPY malware.

For more technical information about the eXotic Visit campaign, see the blog post โ€œeXotic Visit campaign: Tracing the footprints of Virtual Invaders.โ€

Hot this week

These robot vacuums are getting smarter with Apple Home support

Appleโ€™s iOS 18.4 update adds Matter support for robot vacuums, enabling control via Apple Home. Roborock, iRobot, and Ecovacs are updating their devices.

Apple has no plans for a small iPhone

Apple has no plans to make another iPhone Mini. Was it a missed opportunity, or was the compact iPhone just released at the wrong time?

Samsungโ€™s latest vacuum alerts you to calls and texts while you clean

Samsungโ€™s new Bespoke AI Jet Ultra vacuum can alert you to calls and texts while cleaning as the brand expands smart home screens across appliances.

China-aligned hacker group FamousSparrow resurfaces in cyberattacks

ESET finds China-linked hacker group FamousSparrow still active with upgraded tools, targeting institutions in the US, Mexico and Honduras.

The Tesla Model Y now comes in a 110kW version that qualifies for Cat A COE

Tesla launches the Model Y 110 in Singapore, a budget-friendly EV with Cat A COE. Discover its features, price, and availability.

These robot vacuums are getting smarter with Apple Home support

Appleโ€™s iOS 18.4 update adds Matter support for robot vacuums, enabling control via Apple Home. Roborock, iRobot, and Ecovacs are updating their devices.

Gmail introduces easier encryption for business emails

Google introduces a new encryption model for Gmail, making it easier for businesses to send secure emails without special software or certificates.

Nothing Phone (3a) Pro review: A mid-range marvel with standout zoom

Nothing Phone (3a) Pro blends standout design, powerful zoom camera, and smart features, making it a top choice in the mid-range segment.

Vivo challenges iPhone 16 Pro Max with X200 Ultraโ€™s video stability

Vivoโ€™s X200 Ultra teaser compares video stability with the iPhone 16 Pro Max, promising top-tier camera upgrades and advanced stabilisation.

Related Articles