XploitSpy Mobile Malware Deployed Against South Asia Victims

A recent Android malware campaign known as eXotic Visit has been predominantly targeting users in South Asia, particularly in India and Pakistan. The malware is being spread through dedicated websites and the Google Play Store. A cybersecurity company has been monitoring this campaign, which has been active since November 2021, but they haven't been able to identify the perpetrators. They've dubbed the group behind it as Virtual Invaders.

According to a technical report, the malware-infected apps appear to offer legitimate functions but also contain code from the open-source Android XploitSPY RAT. The campaign is highly focused, with the number of installations of the infected apps on Google Play ranging from zero to 45 before they were taken down.

Malicious Packages Masquerading as Social Apps

The deceptive apps pose as messaging services like Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Around 380 users are reported to have downloaded these apps, believing them to be genuine messaging platforms.

In addition to messaging apps, other deceptive apps include Sim Info and Telco DB, which claim to provide details about SIM card owners by entering a Pakistan-based phone number. Some apps also pretend to be a food ordering service in Pakistan and a legitimate Indian hospital (now rebranded as Trilife Hospital).

XploitSPY, which first appeared on GitHub in April 2020, is linked to an Indian cybersecurity company called XploitWizer. It's considered a derivative of another open-source Android trojan called L3MON, which itself draws inspiration from AhMyth.

XploitSpy's Capabilities

The malware is capable of collecting various sensitive data from infected devices, including GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard contents. It can also access notification details from popular apps like WhatsApp, Facebook, Instagram, and Gmail, download/upload files, view installed apps, and execute commands.

To avoid detection, the malicious apps use obfuscation techniques, emulator detection, hide command-and-control addresses, and utilize a native library called "defcome-lib.so" to encode and conceal C2 server information. If an emulator is detected, the app switches to a fake C2 server to evade detection.

Some of these apps are distributed through specific websites created for this purpose, such as "chitchat.ngrok[.]io," which provides a link to download the Android package file ("ChitChat.apk") hosted on GitHub. However, it's not clear how victims are directed to these malicious apps.