InfoSecBulletin Cybersecurity for mankind
ESET researchers found a spying campaign targeting Android users. The campaign uses fake messaging apps that include XploitSPY malware. The campaign, called eXotic Visit, has been active from November 2021 to the end of 2023.
Malicious Android apps were distributed through targeted campaigns using dedicated websites and the Google Play store. These apps had a low number of installs on Google Play and have since been removed.
CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed
ALERT
Thousands of IP addresses compromised nationwide: CIRT warn
New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks
Critical RCE Flaw Patched in Roundcube Webmail
Hacker claim Leak of Deloitte Source Code & GitHub Credentials
CISA Issued Guidance for SIEM and SOAR Implementation
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora
Australia enacts mandatory ransomware payment reporting
Why Govt Demands Foreign CCTV Firms to Submit Source Code?
The eXotic Visit campaign seems to focus on specific Android users in Pakistan and India. It is not known which group is behind this campaign, but we are monitoring the threat actors and calling them Virtual Invaders.
Apps with XploitSPY can get contact lists, files, GPS location, and file names from specific directories related to the camera, downloads, Telegram, and WhatsApp. Certain filenames can be further extracted from these directories by a command from the control server. The chat function in XploitSPY is unique and believed to be developed by the Virtual Invaders group.
The malware uses a native library commonly used in Android app development to hide important information, such as C&C server addresses. This makes it difficult for security tools to analyze the app.
The apps mentioned below were removed from Google Play after ESET, as a Google App Defense Alliance partner, discovered that they contained harmful code. The low number of installations suggests that they were used in a targeted manner. The “eXotic Visit” apps were identified as part of this campaign, and the Technical analysis section examines the XploitSPY code present in these apps. Click here to read out the full report.
