HQ/EMEAFind out how we can help your business
An Android malware campaign dubbed eXotic Visit has raised concerns among South Asian users, especially in India and Pakistan. Based on reports, this malicious operation has been operating since November 2021.
Unlike common cyber threats linked to known groups, this campaign appears independent. The perpetrators behind eXotic Visit have distributed malware through various channels, such as dedicated websites and the Google Play Store.
The eXotic Visit campaign uses malware-laden apps to distribute Android malware.
Investigations reveal that the eXotic Visit campaign uses malware-laden apps offering seemingly legitimate services, including malicious code sourced from the open-source Android XploitSPY RAT.
These apps, posing as messaging platforms like Alpha Chat and Signal Lite, acquired minimal installations on Google Play, typically ranging from zero to 45, before being taken down.
Approximately 380 unsuspecting victims fell prey to these deceptive apps, believing they were using genuine messaging services. Moreover, the attackers expanded their scope by introducing applications such as Sim Info and Telco DB. They claimed to provide SIM owner details, disguised as a food delivery service in Pakistan and even a renowned Indian hospital, now rebranded as Trilife Hospital.
The XploitSPY RAT, which initially surfaced on GitHub in April 2020, is linked to an Indian cybersecurity firm named XploitWizer. It’s identified as a variant of another Android trojan called L3MON.
The malware has various features that enable it to extract sensitive data from infected devices, including GPS locations, contacts, SMS messages, and call logs.
To evade detection, the hackers equipped their malicious apps with mechanisms such as obfuscation, emulator detection, and native library utilisation. The latter, known as “defcome-lib.so,” encodes and hides server information, complicating static analysis attempts from security detections. Furthermore, if a precautionary measure detects the emulator, the app resorts to a fake command-and-control (C2) server to avoid suspicion.
The distribution channels of these malicious apps range from dedicated websites to the official Google Play Store, indicating a concentrated effort to reach a broad audience. The primary goal of the eXotic Visit campaign is espionage, with a particular focus on targets in Pakistan and India.
