XploitSpy Mobile Malware
A new Android malware campaign, named the eXotic Visit, has been actively targeting users in South Asia, particularly in India and Pakistan. This campaign has been distributing malware through specialized websites and the Google Play Store.
Researchers have been monitoring this campaign since November 2021 and have found no connection to any known threat actor or group. They've labeled the group behind it as Virtual Invaders.
The threatening applications downloaded from these sources offer legitimate functionality but also contain code from the open-source Android XploitSPY RAT. This campaign seems highly focused, with the applications on Google Play having very few installs, ranging from zero to 45. As a result of the research findings, these applications have been removed from the platform.
Table of Contents
The Attack Operation Exploited Numerous Fake Applications
The deceptive applications were still functional and primarily posed as messaging platforms such as Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger and Zaangi Chat. It's reported that around 380 individuals have fallen victim to downloading these applications and creating accounts, intending to use them for messaging.
Additionally, as part of the eXotic Visit campaign, applications like Sim Info and Telco DB are utilized. These applications claim to offer information about SIM card owners by simply inputting a Pakistan-based phone number. Furthermore, other applications pretend to be a food delivery service in Pakistan and a legitimate Indian hospital known as Specialist Hospital (now rebranded as Trilife Hospital).
XploitSpy Mobile Malware Possesses a Wide Range of Intrusive Functions
XploitSPY, initially uploaded to GitHub as early as April 2020 by a user named RaoMK, has ties to an Indian cybersecurity solutions company called XploitWizer. It's been identified as a derivative of another open-source Android trojan called L3MON, which itself is inspired by AhMyth.
This malware boasts a broad range of capabilities enabling it to collect sensitive data from compromised devices. It can gather GPS locations, record audio from the microphone, access contacts, SMS messages, call logs, and clipboard contents. It's also capable of extracting notification details from popular apps like WhatsApp, Facebook, Instagram, and Gmail, as well as downloading and uploading files, viewing installed applications, and executing queued commands.
Moreover, the harmful applications are programmed to take photos and enumerate files from specific directories associated with screenshots, WhatsApp, WhatsApp Business, Telegram, and a modified version of WhatsApp known as GBWhatsApp.
Attackers Show Increased Emphasis on Stealth
Throughout the years, these threat actors have customized their damaging code by adding obfuscation, emulator detection, hiding of C2 addresses, and use of a native library. The main purpose of the native library 'defcome-lib.so' is to keep the C2 server information encoded and hidden from static analysis tools. If an emulator is detected, the app makes use of a fake C2 server to evade detection.
Some of the applications have been propagated through websites specifically created for this purpose, 'chitchat.ngrok.io,' which provides a link to an Android package file, 'ChitChat.apk' hosted on GitHub. It's presently not clear how victims are directed to these applications.
Researchers state that distribution started on dedicated websites and then even moved to the official Google Play store. The purpose of the campaign is espionage and it will probably target victims in Pakistan and India.
