Cybersecurity researchers from ESET found a handful of malicious Android apps that spied on people and stole sensitive information from their mobile devices.
In a press release shared with TechRadar Pro earlier this week, researchers said a new group of threat actors, which they dubbed Virtual Invaders, have been active since late 2021.
They created a number of Android apps, posing as communication products, which also came with the open source malware XploitSPY. They called the campaign “eXotic Visit”.
Low number of downloads
On the surface, the applications worked as intended, offering rudimentary communication services. However, behind the scenes is malware that extracted people’s contact lists and files, device GPS locations, file names listed in certain camera-related directories, downloads, and various messaging apps like Telegram or WhatsApp. If some filenames hold promise, attackers could also extract them, it said.
To create the malware, the attackers appear to have taken the open-source Android Remote Access Trojan (RAT), XploitSPY, and modified it. While the apps offered rudimentary services, they also came with a number of bogus functions. Over the years, attackers have added new features, including better cloaking techniques, emulator detectors, and more.
There were more than a dozen apps, ESET said, and the three biggest were called Dink Messenger, Sim Info and Defcom. All were distributed through standalone websites as well as Google Play, but all were subsequently removed from Google’s app repository.
However, the chances of contracting any of them are relatively low. Reportedly, the attackers only targeted individuals in Pakistan and India and were quite specific in their attacks. In total, there were approximately 380 downloads from websites and the Play Store. Each app had up to 45 downloads. The methods of distribution were not discussed, but it is most likely phishing and social engineering.