InfoSecBulletin Cybersecurity for mankind
ESET researchers found a spying campaign targeting Android users. The campaign uses fake messaging apps that include XploitSPY malware. The campaign, called eXotic Visit, has been active from November 2021 to the end of 2023.
Malicious Android apps were distributed through targeted campaigns using dedicated websites and the Google Play store. These apps had a low number of installs on Google Play and have since been removed.
YouTube geo-blocks at least 4 Bangladeshi TV channels in India
Microsoft Patches Four Critical Azure and Power Apps Vulns
Qilin Ransomware topped April 2025 with 45+ data leak disclosures
SonicWall Patches 3 Flaws in SMA 100 Devices
Top Ransomware Actively Attacking Financial Sector: 406 Incidents Disclosed
Critical (CVSS 10) Flaw in Cisco IOS XE WLCs Allows RRA
CVE-2025-29824
Play Ransomware Exploited Windows CVE-2025-29824 as Zero-Day
Hacker exploited Samsung MagicINFO 9 Server RCE flaw
CISA adds Langflow flaw to its KEV catalog
Google Fixes Android Flaw (CVE-2025-27363) Exploited by Attackers
The eXotic Visit campaign seems to focus on specific Android users in Pakistan and India. It is not known which group is behind this campaign, but we are monitoring the threat actors and calling them Virtual Invaders.
Apps with XploitSPY can get contact lists, files, GPS location, and file names from specific directories related to the camera, downloads, Telegram, and WhatsApp. Certain filenames can be further extracted from these directories by a command from the control server. The chat function in XploitSPY is unique and believed to be developed by the Virtual Invaders group.
The malware uses a native library commonly used in Android app development to hide important information, such as C&C server addresses. This makes it difficult for security tools to analyze the app.
The apps mentioned below were removed from Google Play after ESET, as a Google App Defense Alliance partner, discovered that they contained harmful code. The low number of installations suggests that they were used in a targeted manner. The “eXotic Visit” apps were identified as part of this campaign, and the Technical analysis section examines the XploitSPY code present in these apps. Click here to read out the full report.
