An active Android malware campaign called eXotic Visit has primarily targeted South Asian users, particularly those in India and Pakistan, with malware distributed via dedicated websites and the Google Play Store.
The Slovak cybersecurity company said the activity, which has been ongoing since November 2021, is not linked to any known threat actor or group. He is tracking the group behind the operation under this name Virtual invaders.
“The downloaded apps provide legitimate functionality, but also include the open source Android XploitSPY RAT code,” ESET security researcher Lukáš Štefanko said in a technical report published today.
The campaign is said to be highly targeted in nature, with the apps available on Google Play having a negligible number of installs ranging from zero to 45. The apps have since been removed.
Fake but working apps mostly masquerade as messaging services such as Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Around 380 victims are said to have downloaded the apps and created accounts to use them for messaging purposes.
Apps such as Sim Info and Telco DB are also used as part of eXotic Visit, both of which claim to provide details of SIM owners simply by entering a Pakistan-based phone number. Other apps pass themselves off as a food ordering service in Pakistan or a legitimate Indian hospital called Specialist Hospital (now renamed Trilife Hospital).
XploitSPY, loaded on GitHub as early as April 2020 by a user called RaoMK, is associated with an Indian cybersecurity solutions company called XploitWizer. It has also been described as a fork of another open-source Android Trojan called L3MON, which, in turn, draws inspiration from AhMyth.
It comes with a wide range of features that allow it to collect sensitive data from infected devices, such as GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard contents; extract notification details from apps like WhatsApp, Facebook, Instagram and Gmail; download and upload files; view installed apps; and queue commands.
Besides that, the malicious apps are designed to take photos and enumerate files in different directories related to screenshots, WhatApp, WhatsApp Business, Telegram and an unofficial WhatsApp mod known as GBWhatsApp.
“Over the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, [command-and-control] addresses and the use of a native library,” Štefanko said.
The main purpose of the native library (“defcome-lib.so”) is to keep C2 server information encoded and hidden from static analysis tools. If an emulator is detected, the app uses a fake C2 server to evade detection.
Some apps have been spread through websites created specifically for this purpose (“chitchat.ngrok[.]io”) which provide a link to an Android package file (“ChitChat.apk”) hosted on GitHub. It is currently unclear how victims are directed to these apps.
“The distribution started on dedicated websites and then also moved to the official Google Play store,” concluded Štefanko. “The aim of the campaign is espionage and is likely targeting victims in Pakistan and India.”