An ongoing Android malware operation is known as eXotic Visit. The interesting fact about eXotic is that it has predominantly targeted consumers in South Asia, India, and Pakistan.  And deliver spyware through specialized websites and the Google Play Store.

The Slovak cybersecurity firm stated a few activities. Out of these activities, one activity has been underway since November 2021. Furthermore, it is not tied to any recognized threat actor or organization. In addition to this, it is tracking the gang behind the operation. And later on, goes by the name Virtual Warriors.

According to a technical paper published today by ESET security researcher Lukáš Štefanko, “downloaded applications may contain code from the open-source Android XploitSPY RAT while providing legal functionality.

The effort is believed to be extremely targeted. With the help of the apps listed on Google Play, it’s quite easy to receive a small number of installations. These installations vary from zero to 45. The applications have subsequently been taken offline.

The fraudulent but working applications typically pose as chat services. These chat services include - Alpha Chat, ChitChat, Defcom, Dink Messenger, Signal Lite, TalkU, WeTalk, Wicker Messenger, and Zaangi Chat. According to reports, “around 380 victims downloaded the applications and set up accounts to utilize them for communicating.”

eXotic Visit also includes applications like Sim Info and Telco DB. It claims to reveal information about SIM owners. For this, it simply inputs a Pakistan-based phone number. Other programs impersonate a meal ordering service in Pakistan and an actual Indian hospital called Specialist Hospital (recently rebranded as Trilife Hospital).

XploitSPY was submitted to GitHub in April 2020 by a user named RaoMK. It is affiliated with XploitWizer, an Indian cyber security solutions firm. The interesting thing is that it has also been described as a fork of another open-source Android malware, named L3MON. It is inspired by AhMyth.

It has a wide range of features. These features allow it to collect confidential information from compromised devices. Such devices are - GPS locations, microphone recordings, contacts, SMS messages, call logs, and clipboard content. It also involves extracting notification details from apps like WhatsApp, Facebook, Instagram, and Gmail; downloading and uploading files; viewing installed apps; and queueing commands.

Furthermore, the malicious applications are programmed to capture images and enumerate data in several folders. These folders were connected to screenshots, WhatsApp, WhatsApp Business, Telegram, and an unauthorized WhatsApp mod known as GBWhatsApp.

Štefanko added, "Throughout the years, these threat actors have customized their malicious code. For this, they added obfuscation, emulator detection, hiding of [command-and-control] addresses, and use of a native library."

The primary function of the native library ("defcome-lib. so") is to encrypt and conceal C2 server information from static analysis tools. If an emulator is discovered, the software uses a fake C2 server to avoid discovery.

Some of the apps have been distributed via websites designed particularly for this purpose ("chitchat.ngrok[.]io"). These websites include a link to an Android package file ("ChitChat.apk") maintained on GitHub. It's yet unclear how victims are steered to these applications.

Štefanko also added, "Distribution started on specialized websites and then even moved to the official Google Play store.” "The goal of the campaign is spying and probably focuses on victims in Pakistan and India."