"eXotic Visit" spyware targets Android users in India and Pakistan

The campaign spyware "eXotic Visit" targets users who use Android devices in South Asia, mainly in India and Pakistan.

The function of "eXotic Visit" is to distribute malware through dedicated websites and the Google Play Store.

The Slovakian cybersecurity company said that this activity, which has been ongoing since November 2021, is not related to any known actor or threat group. Η company oversees the team behind the operation, which goes by the name of Virtual Invaders.

Read also: Apple: warns iPhone users about spyware attacks

SecNewsTV

Περισσότερα... Subscribe!

"The downloaded apps provide legitimate functionality, but they also incorporate code from the open-source Android XploitSPY RAT," according to ESET security researcher Lukáš Štefanko.

This campaign is characterised by its highly specialised nature, with the apps that were accessible on Google Play showing extremely low numbers of installations, ranging from zero to 45. The specific apps have now been withdrawn.

The applications that are fake but otherwise functional, are often presented as popular messaging services, which include Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger and Zaangi Chat. It is estimated that around 380 people have downloaded these apps and created accounts using them for messaging.

In the context of eXotic Visit, specialised applications such as Sim Info and Telco DB are used. These applications have the ability to provide detailed information for SIM card holders in Pakistan, simply by entering a phone number. In addition, other apps present themselves as food ordering services in Pakistan or even as legitimate medical institutions in India, such as Specialist Hospital, which has now been renamed Trilife Hospital.

XploitSPY, which was uploaded to GitHub as early as April 2020 by a user named RaoMK, associated with an Indian cybersecurity solutions company called XploitWizer. It has also been described as an evolution of another trojan Android open source called L3MON, which, in turn, is inspired by AhMyth.

Allows the collection of sensitive data from infected devices, including GPS locations, microphone recordings, contacts, SMS messages, call logs, and the content of the thumb drive. In addition, it can extract notification details from popular apps such as WhatsApp, Facebook, Instagram, and Gmail, receive and send files, view installed applications and execute commands.

In addition, the malicious applications have been developed to capture photos and count files in a variety of folders related to screenshots, WhatsApp, WhatsApp Business, Telegram as well as an unofficial version of WhatsApp, known as GBWhatsApp.

"Over the years, malware authors have significantly upgraded their methods, incorporating advanced techniques such as "code obfuscation", emulator detection, concealment of control and command addresses, and use of native library", according to Štefanko.

The main function of the native library ("defcome-lib.so") is to encode and hide C2 server information, so that it cannot be detected by static analysis tools. In case of emulator detection, the Application is adapted using a C2 virtual server to bypass detection.

See more: USA: Sanctions on the operators of the Predator spyware

Some applications have been disseminated via dedicated websites for this purpose ("chitchat.ngrok[.]io"), providing a link to the Download an Android package ("ChitChat.apk") hosted on GitHub. Currently, it is not clear how victims are directed to the Use of these applications.

"The distribution started initially from more specialized websites and was later extended to the official Shop Google Play," Štefanko stressed. "The purpose of campaign is spyware and its victims are in Pakistan and India."

Source: thehackernews