This malware is openly advertised online—yet it was just found in three dangerous apps, stealing messages and banking credentials from infected phones…
A serious warning has been issued for Android users.
Another serious warning for Android users this week, to beware of apps that claim to provide interfaces to popular messaging platforms. This latest trio of apps has been found to carry the well-established open-source XsploitSPY malware.
ESET says the latest campaign—which it calls eXotic Visit—appears to be limited to a small number of users in Asia, but the concept of operations behind the attack is a serious warning to all users, wherever they are.
“This active and targeted Android spying campaign,” the team says, “began in late 2021 and mainly mimics messaging apps distributed through dedicated websites and Google Play.”
Malicious apps have been removed from Google Play, but that doesn’t mean they won’t still be on devices or available in third-party stores. Android users should have Google Play Protect as additional protection against Play Store apps that have slipped through the store’s defenses or been found elsewhere.
“Android users are automatically protected against known versions of malware through Google Play Protect,” the company advises, “which is turned on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
The XsploitSPY malware promises a whole host of nasty capabilities, including GPS logging, microphone recording, camera access, SMS access, clipboard logging and message notification interception. You don’t want this on your device.
The primary motive of the campaigns built around this malware is theft—using credentials for banking and other financial applications to drain accounts. But the limited, specific nature of this campaign seems more likely to be targeted espionage.
ESET’s report includes details on the timeline by which this latest campaign was identified, but the much more important basis of the warning is. Such copycat apps or those that appear to offer links to popular, well-established apps are designed to trick users into thinking they are safe.
The three apps we’ve identified this time are Dink Messenger, SIM Info, and Defcom—and any of those you happen to find on your phone should be deleted immediately. If you find it, be sure to run a security check on your device and keep an eye on your accounts. It’s also a good idea to change your bank account and messaging passwords and make sure you’ve enabled MFA.
ESET warns that “XploitSPY is widely available and customized versions have been used by multiple threat actors… However, the modifications found in the applications we describe as part of the eXotic Visit campaign are distinctive and different from those in previously documented variants of the XploitSPY malware. “
As always, if you follow the five golden rules below, you’ll likely stay safe. But keep an eye on your device’s performance, including battery life and processing speed, and if anything changes drastically, check what’s running in the background.
- Stick to official app stores—don’t use third-party stores, and never change your device’s security settings to allow an app to load.
- Check out the developer in the app description—is this someone you’d like in your life? And check the reviews, do they look legit or farmed?
- Don’t give permissions to an app it shouldn’t: flashlights and stargazing apps don’t need access to your contacts and phone. Never grant accessibility permissions that facilitate device control unless you have to.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installations and updates.
- Don’t install apps that link to established apps like WhatsApp unless you know for sure they’re legitimate—check reviews and online records.