Android eXotic Visit Spyware Targets Pakistanis And Indians
An ongoing Android malware campaign, known as eXotic Visit Spyware, has been targeting users primarily in South Asia, with a focus on those in India and Pakistan. The eXotic Visit Spyware is being distributed through specific websites and the Google Play Store. The Slovak cybersecurity firm ESET discovered that the campaign started in November 2021.
ESET researchers have not linked the eXotic Visit Spyware to any known threat actor or group, but they are tracking the group behind the operation under the name Virtual Invaders.
eXotic Visit Spyware Capabilities
Cyber espionage in South Asia is becoming an increasing concern due to targeted malware campaigns like Android malware eXotic Visit. The malware found in eXotic Visit operates by embedding the open-source Android XploitSPY Remote Access Trojan (RAT) into the apps. This malware allows attackers to extract various types of data from infected devices. Key pieces of information that XploitSPY can access include:
- Contact lists and files: Personal information stored on the device.
- Call logs: A record of all calls made and received on the phone.
- Installed apps: A list of all applications installed on the device.
- Surrounding Wi-Fi networks: Information about nearby wireless networks.
- GPS location: The device’s current location.
- Files in specific directories: These include directories related to the camera, downloads, and messaging apps like Telegram and WhatsApp.
In addition, XploitSPY allows threat actors to perform a range of malicious activities on a victim’s phone, including:
- Sending SMS messages.
- Taking pictures using the camera.
- Recording audio from the device’s surroundings.
- Intercepting notifications from various messaging apps.
- If specific filenames of interest are found, the malware can extract them via commands from the Virtual Invaders’ command and control (C2) server.
Malicious Apps and Their Impact
The eXotic Visit Spyware primarily disguises itself as messaging apps such as Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. These apps offer fake but functional services to users while compromising their devices.
Approximately 380 victims have downloaded these apps and created accounts to use them. Other eXotic Visit apps include Sim Info and Telco DB, which claim to provide information about SIM owners by entering a Pakistan-based phone number. Some apps pose as a food ordering service in Pakistan or a legitimate Indian hospital (now rebranded as Trilife Hospital).
XploitSPY has been available on GitHub since April 2020 under the user name RaoMK and is linked to an Indian cybersecurity solutions company called XploitWizer. XploitSPY draws inspiration from another open-source Android trojan known as L3MON, which in turn is inspired by AhMyth.
Spyware Attacks On Mobile Devices – Features and Techniques
Cybersecurity incidents in Pakistan and India have been on the rise, prompting users to be more cautious with their online activities. XploitSPY comes with a wide range of features that allow it to gather sensitive data from infected devices, including GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content.
It can also extract notification details from apps like WhatsApp, Facebook, Instagram, and Gmail, as well as download and upload files. The malicious apps can take pictures and list files in several directories related to screenshots, WhatsApp, WhatsApp Business, Telegram, and an unofficial WhatsApp mod known as GBWhatsApp.
ESET researcher Lukáš Štefanko stated that the threat actors have been customizing their code over the years, adding techniques such as obfuscation, emulator detection, hiding command-and-control addresses, and utilizing a native library.
The purpose of the native library “defcome-lib.so” is to keep the C2 server information encoded and hidden from static analysis tools. If an emulator is detected, the app employs a fake C2 server to evade detection.
Spyware Targeting Pakistan and India
Some of the apps have been spread through dedicated websites specifically created for this purpose. These websites provide a link to an Android package file hosted on GitHub. It’s unclear how victims are being directed to these apps.
ESET reported that the eXotic Visit Spyware distribution began on dedicated websites and later expanded to the Google Play Store. The researchers concluded that the eXotic Visit spyware campaign‘s goal is espionage, primarily targeting victims in Pakistan and India, and poses major cybersecurity threats to Indian users.
Conclusion
The eXotic Visit malware campaign is a concerning threat to Android users in South Asia, particularly in India and Pakistan. By disguising itself as a legitimate app and spreading through dedicated websites and the Google Play Store, the campaign poses significant mobile security risks eXotic Visit to users’ data and privacy. XploitSPY, the malware used in the campaign, can access sensitive information, perform malicious actions on victims’ devices, and has been tailored over time to evade detection.
Users should remain vigilant when downloading apps and prioritize security measures to protect their devices and personal information from such Android spyware attacks.
The sources for this piece include articles in The Hacker News and Infosecurity Magazine.