A cyber espionage campaign known as ‘eXotic Visit’ has been targeting Android users in South Asia [8], specifically in India and Pakistan [2] [4] [6] [7] [11], since late 2021 [8].
Description
The threat actors [1] [5] [6] [9], identified as the ‘Virtual Invaders’ group, have been distributing the XploitSPY malware through fake messaging apps available on dedicated websites and the Google Play Store. This malware, a customized variant of an open-source Android RAT called L3MON, is designed to extract sensitive data such as contact lists, call logs [5] [11], GPS locations [1] [3] [5] [6] [7] [9] [10] [11], files [1] [3] [9] [10] [11], SMS messages [6] [11], call logs [5] [11], clipboard content [11], and more from victims’ phones [5]. The campaign, monitored from November 2021 to the end of 2023 [3] [9] [10], has evolved to include obfuscation and emulator detection techniques to avoid detection. Malicious apps linked to XploitSPY, including WeTalk [5], Zaangi Chat [5], Wicker Messenger [1] [3] [5] [10], and Expense Tracker [5], were removed from the Google Play Store after ESET identified ten additional apps associated with the malware. Approximately 380 victims have been affected by this targeted campaign [8], raising concerns about cybersecurity in the region [8]. The XploitSPY malware [1] [3] [5] [9] [10], associated with an Indian cybersecurity company [4] [7], has features that allow it to gather sensitive data from infected devices [7], such as GPS locations [6] [7] [11], microphone recordings [7] [11], contacts [1] [3] [5] [6] [7] [9] [10] [11], and more. The campaign’s main purpose is espionage [4] [7] [11], with victims likely being targeted in Pakistan and India [7].
Conclusion
The ‘eXotic Visit’ cyber espionage campaign has had a significant impact on cybersecurity in South Asia, with 380 victims affected by the XploitSPY malware. It is crucial for users to remain vigilant and ensure they only download apps from trusted sources to mitigate the risk of falling victim to such attacks in the future. This campaign highlights the importance of strengthening cybersecurity measures and collaboration between countries to combat cyber threats effectively.
References
[1] https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-exotic-visit-campaign-targeted-attack-via-fake-messaging-apps-available-on-web-and-google-play/
[2] https://www.cyclonis.com/xploitspy-mobile-malware-deployed-against-south-asia-victims/
[3] https://www.ndtv.com/india-news/researchers-discover-espionage-campaign-targeting-indian-users-via-fake-messaging-apps-5417903
[4] https://ciso2ciso.com/exotic-visit-spyware-campaign-targets-android-users-in-india-and-pakistan-sourcethehackernews-com/
[5] https://www.infosecurity-magazine.com/news/android-espionage-campaign-india/
[6] https://cybersocialhub.com/csh/exotic-visit-spyware-campaign-targets-android-users-in-india-and-pakistan/
[7] https://vulners.com/thn/THN:169C68E9D836BED50A6A34AF35A28DDE
[8] https://cybersecuritynews.com/xploitspy-android-malware/
[9] https://www.welivesecurity.com/en/eset-research/exotic-visit-campaign-tracing-footprints-virtual-invaders/
[10] https://www.sakshipost.com/news/researchers-discover-espionage-campaign-targeting-indian-users-fake-messaging-apps-288801
[11] https://www.ihash.eu/2024/04/exotic-visit-spyware-campaign-targets-android-users-in-india-and-pakistan/
