Researchers have discovered an active espionage campaign ‘eXotic Visit’, targeting Android users via fake messaging apps that are distributed through dedicated websites and Google Play, a new report said on Wednesday.

According to ESET Research, the campaign appears to primarily target a select group of Android users in India and Pakistan.

The researchers have tracked the eXotic Visit campaign’s activities from November 2021 through to the end of 2023.

While the downloaded apps provide legitimate functionality, they come bundled with open-source XploitSPY malware.

“Apps that contain XploitSPY can extract contact lists and files, the device’s GPS location, and the names of files listed in specific directories related to the camera, downloads, and various messaging apps such as Telegram and WhatsApp,” the researchers said.

Buy Me a Coffee

“The malware also uses a native library, which is often used in Android app development for improving performance and accessing system features. However, in this case, the library is used to hide sensitive information, like the addresses of the C&C servers, making it harder for security tools to analyze the app,” they added.

Apps like Dink Messenger, Sim Info, and Defcom were taken down from Google Play.

Moreover, the report identified ten additional apps that contain code that was based on XploitSPY and shared its findings with Google. Following that, the apps were removed from the store.

Overall, around 380 victims have downloaded the apps from websites and Google Play store and created accounts to use their messaging functionality, the report said.

READ
Russian National Extradited to U.S. on Charges of Running Phobos Ransomware Operation