The new eXotic Visit campaign is aimed at collecting data from inattentive users.
Informs ESET about a new malware campaign targeting users in South Asia. The eXotic Visit campaign started in November 2021 and distributes malware through specialized websites and the Google Play Store.
The infected applications, despite providing legitimate functions, include the open source code of the XploitSPY RAT Trojan. Some apps mimic Alpha Chat, ChitChat, etc. messengers, while others pretend to be food ordering services in Pakistan or India's Trilife Hospital. It is reported that about 380 victims downloaded apps that mimic instant messengers and created accounts to use them for messaging.
The XploitSPY trojan was uploaded to GitHub back in April 2020 by a user named RaoMK and is linked to the Indian information security company XploitWizer. Malicious software can collect sensitive data from infected devices, including:
XploitSPY is also capable of:
The main target of malicious apps is espionage, presumably with a focus on victims in Pakistan and India. Malicious apps are also designed to list files in several directories associated with screenshots and instant messengers, including WhatsApp and Telegram.
According to ESET, attackers constantly modify their malicious code by adding obfuscation, detecting emulators, hiding C2 server addresses, and using a native library. If the use of the emulator is detected, the application uses a fake C2 server to evade detection.
The distribution of malicious apps started from sites created specifically for this campaign. Sites provide a link to the APK file hosted on GitHub. Then the distribution went to the official Google Play store, where the apps had a small number of installations — up to 45. After detection, the malware was removed from the store.
Informs ESET about a new malware campaign targeting users in South Asia. The eXotic Visit campaign started in November 2021 and distributes malware through specialized websites and the Google Play Store.
The infected applications, despite providing legitimate functions, include the open source code of the XploitSPY RAT Trojan. Some apps mimic Alpha Chat, ChitChat, etc. messengers, while others pretend to be food ordering services in Pakistan or India's Trilife Hospital. It is reported that about 380 victims downloaded apps that mimic instant messengers and created accounts to use them for messaging.
The XploitSPY trojan was uploaded to GitHub back in April 2020 by a user named RaoMK and is linked to the Indian information security company XploitWizer. Malicious software can collect sensitive data from infected devices, including:
- GPS location;
- microphone recordings;
- contacts;
- SMS messages;
- call logs;
- contents of the clipboard.
XploitSPY is also capable of:
- download and upload files;
- display a list of installed apps;
- extract notification details from WhatsApp, Facebook, Instagram and Gmail.
The main target of malicious apps is espionage, presumably with a focus on victims in Pakistan and India. Malicious apps are also designed to list files in several directories associated with screenshots and instant messengers, including WhatsApp and Telegram.
According to ESET, attackers constantly modify their malicious code by adding obfuscation, detecting emulators, hiding C2 server addresses, and using a native library. If the use of the emulator is detected, the application uses a fake C2 server to evade detection.
The distribution of malicious apps started from sites created specifically for this campaign. Sites provide a link to the APK file hosted on GitHub. Then the distribution went to the official Google Play store, where the apps had a small number of installations — up to 45. After detection, the malware was removed from the store.
