[ad_1]
An active Android malware campaign called “eXotic Visit” primarily targets users in South Asia, particularly India and Pakistan, and distributes the malware through dedicated websites and the Google Play Store.
The Slovak cybersecurity company said the activity has been ongoing since November 2021 but is not linked to any known attackers or groups. We are tracking the group behind the operation by the name. virtual invaders.
“The downloaded app provides legitimate functionality, but also contains code from the open source Android XploitSPY RAT,” ESET security researcher Lukáš Štefanko said in a technical report published today.
The campaign is said to be targeted in nature, with only a small number of installs for the apps available on Google Play, ranging from 0 to 45, after which the apps were removed.
The fake but functional apps mainly pretend to be messaging services such as Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. Around 380 victims are said to have downloaded the app and created accounts to use for messaging purposes.
Also part of eXotic Visit are apps like Sim Info and Telco DB, both of which claim to provide detailed information about SIM owners by simply entering their Pakistan-based phone number. Other applications pretend to be food ordering services at legitimate hospitals in Pakistan and India called Specialist Hospitals (now rebranded as Trilife Hospitals).
exploit spy, uploaded It was posted on GitHub in April 2020 by a user named RaoMK and was associated with an Indian cybersecurity solutions company called XploitWizer. It is also described as a fork of another open source Android Trojan called L3MON, which he says was inspired by AhMyth.
It has a wide range of features that allow it to collect sensitive data such as GPS location, microphone recordings, contacts, SMS messages, call logs, and clipboard contents from infected devices. Extract notification details from apps like WhatsApp, Facebook, Instagram, Gmail, etc. Download and upload files. Show installed apps. and queue the command.
Additionally, the malicious app is designed to take photos, screenshots, enumerate files in several directories related to WhatApp, WhatsApp Business, Telegram, and an unofficial WhatsApp MOD known as GBWhatsApp .
“Over the years, these threat actors have customized their malicious code by adding obfuscation, emulator detection, and concealment capabilities. [command-and-control] addresses, use of native libraries, etc.,” Stefanko said.
The primary purpose of the native library (‘defcome-lib.so’) is to encode and hide C2 server information from static analysis tools. If the emulator is detected, the app utilizes a fake C2 server to evade detection.
Some apps are disseminated through a website created specifically for this purpose (“chitchat.ngrok”).[.]io”) provides a link to an Android package file (“ChitChat.apk”) hosted on GitHub. It is currently unclear how victims are directed to these apps. there is no.
“Distribution started on a dedicated website and then moved to the official Google Play Store,” Stefanko concluded. “The purpose of this campaign is espionage, likely targeting victims in Pakistan and India.”
[ad_2]
Source link
