An Android malware campaign known as eXotic Visit is targeting users in South Asia, especially in India and Pakistan. The malware is being distributed through dedicated websites and the Google Play Store.
Slovak cybersecurity firm has been tracking the group behind the operation, named Virtual Invaders, since November 2021. The malware is being distributed through apps that offer legitimate functionality alongside code from the XploitSPY RAT.
The malicious campaign is highly targeted, with the apps having a small number of installs on Google Play before they were taken down. These fake apps masquerade as messaging services like Alpha Chat, ChitChat, and Signal Lite.
Another aspect of the campaign includes apps like Sim Info and Telco DB, which claim to provide SIM owner details by entering a phone number based in Pakistan. The malware also poses as a food ordering service in Pakistan and a hospital in India.
The XploitSPY malware, uploaded to GitHub in April 2020, is associated with an Indian cybersecurity company. It is known for its wide range of features that gather sensitive data from infected devices.
The malware is designed to extract data from popular apps like WhatsApp and Facebook, as well as take pictures and collect information from various directories. It has been evolving over the years to avoid detection and hide its command-and-control server information.
The malware has been distributed through dedicated websites and the Google Play Store, with the main goal of espionage targeting victims in Pakistan and India.