Skip to content

Android spyware campaign targets people in India and Pakistan: Research

  • by
  • 5 min read

A sophisticated espionage campaign, dubbed eXotic Visit, targeted Android users in India and Pakistan. This campaign, active for more than two years, from November 2021 to December 2023, involves the distribution of seemingly benign apps infused with the XploitSPY malware to extract sensitive information from compromised devices.

Cybersecurity researchers from ESET recently unveiled the attack methodology and malicious apps behind this campaign. The researchers were unable to pinpoint the threat actors exactly; however, they are tracking the activities of one particular hacker group under the moniker Virtual Invaders.

Due to the campaign’s targeted nature, the number of identified victims and app downloads is quite low. Researchers have confirmed that around 380 victims have downloaded the malicious apps. Similarly, they found that the number of app downloads ranges between zero and 45.

The campaign is based on employing deceptive tactics to distribute malicious apps disguised as legitimate messaging services. The primary targets are Android users in India and Pakistan, highlighting the campaign’s regional focus.

Initially, the malicious apps were disseminated through dedicated websites and, for a brief period, were available on the Google Play Store. However, Google Play removed them due to their targeted nature and malicious intent. Virtual Invaders adapted their tactics, continuing to distribute the apps through alternative channels to evade detection and maintain operational effectiveness.

A timeline of malicious apps distributing XploitSPY RAT. | Source: ESET

Researchers discovered that the earliest malicious apps — WeTalk and ChitChat — were uploaded to GitHub in December 2021. Both apps contained XploitSPY and used a dedicated C2 server. Interestingly, another malicious app called Dink Messenger used the same command and control server. Dink Messenger was later uploaded to the Google Play Store with no malicious codes. However, in subsequent updates, malicious codes were introduced.

Malicious Dink Messenger app. | Source: ESET

The fourth malicious app, AlphaChat, was discovered in November 2022. This app was available for download from Dink Messenger’s domain name and used the same C2 server address. However, researchers discovered that although the admin login page is the same, the port was different.

Virtual Invaders added some extra features to the Alpha Chat XploitSPY RAT, including emulator detection and an additional C2 address to exfiltrate large images. The same features were added to Dink Messenger on Google Play, but the website version lacked these.

Emulator detention Alpha Chat. | Source: ESET

The fifth malicious app, Telco DB, was discovered by researchers as part of the eXotic Visit campaign. This app was uploaded to an alternative app store and here, the C2 address was not hardcoded, rather it returned from a Firebase server, another attempt by the threat actors to hide their real C2 address.

The sixth malicious app was uploaded to Google Play on August 19, 2022, claiming to provide users with information about the phone’s owner. The seventh malicious app, Defcom, was uploaded to Google Play in 2023.

Defcom malicious app. | Source: ESET

Apart from these seven apps, researchers also discovered several other malicious apps infected with the XploitSPY that the threat actors tried to upload on Google Play:

App NamePackage NameDate Uploaded
Zaangi Chatcom.infinite.zaangichatJuly 22nd, 2022
Wicker Messengercom.reelsmart.wickermessengerAugust 25th, 2022
Expense Trackercom.solecreative.expensemanagerNovember 4th, 2022
Signal Litecom.techexpert.signalliteDecember 1st, 2021
Telco DBcom.infinitetech.telcodbJuly 25th, 2022
Telco DBcom.infinitetechnology.telcodbJuly 29th, 2022
Tele Chatcom.techsight.telechatNovember 8th, 2022
Track Budgetcom.solecreative.trackbudgetDecember 30th, 2022
SnapMecom.zcoders.snapmeDecember 30th, 2022
TalkUcom.takewis.talkuchatFebruary 14th, 2023

The malicious payload XploitSPY malware exhibits a range of intrusive functionalities designed to harvest personal data and monitor user activities, including the GPS location, camera files, downloads, covert recording to audio and capture of images using the device’s microphone camera, and messaging apps like Telegram and WhatsApp.

If the RAT discovers a certain filename of interest, it can ping the command-and-control (C2) server, and these files can be downloaded via additional commands. Researchers also discovered one unique phenomenon — the integration of chat functionality with the XploitSPY — leading them to conclude that the Virtual Invaders group developed this function. The malware employs a native library to obfuscate critical information, complicating analysis and detection by security tools.

In collaboration with industry partners like Google as part of the App Defense Alliance, ESET identified and removed all malicious apps associated with the eXotic Visit campaign. However, the evolving tactics and sophistication displayed by Virtual Invaders underscore the ongoing challenges in mitigating targeted espionage campaigns and the critical importance of proactive cybersecurity measures.

In the News: Google unveils Axion, its Arm-based CPU for AI enhancements

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>