InfoSecBulletin Cybersecurity for mankind
ESET researchers found a spying campaign targeting Android users. The campaign uses fake messaging apps that include XploitSPY malware. The campaign, called eXotic Visit, has been active from November 2021 to the end of 2023.
Malicious Android apps were distributed through targeted campaigns using dedicated websites and the Google Play store. These apps had a low number of installs on Google Play and have since been removed.
CVE-2025-1268
Patch urgently! Canon Fixes Critical Printer Driver Flaw
Within Minute, RamiGPT To Escalate Privilege Gaining Root Access
Australian fintech database exposed in 27000 records
Over 200 Million Info Leaked Online Allegedly Belonging to X
FBI investigating cyberattack at Oracle, Bloomberg News reports
OpenAI Offering $100K Bounties for Critical Vulns
Splunk Alert User RCE and Data Leak Vulns
CIRT alert Situational Awareness for Eid Holidays
Cyberattack on Malaysian airports: PM rejected $10 million ransom
Micropatches released for Windows zero-day leaking NTLM hashes
The eXotic Visit campaign seems to focus on specific Android users in Pakistan and India. It is not known which group is behind this campaign, but we are monitoring the threat actors and calling them Virtual Invaders.
Apps with XploitSPY can get contact lists, files, GPS location, and file names from specific directories related to the camera, downloads, Telegram, and WhatsApp. Certain filenames can be further extracted from these directories by a command from the control server. The chat function in XploitSPY is unique and believed to be developed by the Virtual Invaders group.
The malware uses a native library commonly used in Android app development to hide important information, such as C&C server addresses. This makes it difficult for security tools to analyze the app.
The apps mentioned below were removed from Google Play after ESET, as a Google App Defense Alliance partner, discovered that they contained harmful code. The low number of installations suggests that they were used in a targeted manner. The “eXotic Visit” apps were identified as part of this campaign, and the Technical analysis section examines the XploitSPY code present in these apps. Click here to read out the full report.
