‘eXotic Visit’ spyware targets Android users in Pakistan and India
It can also extract notification details from apps like WhatsApp, Facebook, Instagram, and Gmail, download/upload files, view installed apps, and queue commands.
An active Android malware campaign, dubbed eXotic Visit, has been detected, primarily targeting users in South Asia, especially in India and Pakistan. The malware is distributed via dedicated websites and the Google Play Store.
According to a Slovak cybersecurity firm, the campaign, ongoing since November 2021, is not associated with any known threat actor or group. The firm, tracking the group behind the operation under the name Virtual Invaders, issued a technical report today.
ESET security researcher Lukáš Štefanko stated, “Downloaded apps provide legitimate functionality, but also include code from the open-source Android XploitSPY RAT.”
The campaign appears highly targeted, with the apps available on Google Play having a negligible number of installs, ranging from zero to 45. These apps have since been removed.
The malicious apps primarily pose as messaging services, including Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Approximately 380 victims downloaded these apps and created accounts for messaging purposes.
Additionally, apps like Sim Info and Telco DB, claiming to provide SIM owner details by entering a Pakistan-based phone number, are used as part of the eXotic Visit campaign. Other applications masquerade as a food ordering service in Pakistan and a legitimate Indian hospital (now rebranded as Trilife Hospital).
The XploitSPY malware, uploaded to GitHub as early as April 2020 by a user named RaoMK, is linked to an Indian cybersecurity solutions company called XploitWizer. It’s described as a fork of another open-source Android trojan, L3MON, which is inspired by AhMyth.
The malware possesses a range of features enabling it to gather sensitive data from infected devices, including GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content. It can also extract notification details from apps like WhatsApp, Facebook, Instagram, and Gmail, download/upload files, view installed apps, and queue commands.
Moreover, the malicious apps can take pictures and enumerate files in directories related to screenshots, WhatsApp, WhatsApp Business, Telegram, and GBWhatsApp, an unofficial WhatsApp mod.
“Throughout the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, hiding of [command-and-control] addresses, and use of a native library,” stated Štefanko.
The primary objective of the native library (“defcome-lib.so”) is to encode and conceal the C2 server information from static analysis tools. In case an emulator is detected, the app utilizes a fake C2 server to evade detection.
Certain apps have been disseminated through websites specifically established for this purpose (“chitchat.ngrok[.]io”), which provide a link to an Android package file (“ChitChat.apk”) hosted on GitHub. It remains unclear how victims are directed to these apps.
“Distribution started on dedicated websites and then even moved to the official Google Play store,” Štefanko concluded. “The purpose of the campaign is espionage and probably is targeting victims in Pakistan and India.”
