This nasty malware is openly advertised online—and yet it’s just been found in three dangerous apps, stealing messages and banking credentials from infected phones…

Another serious warning for Android users this week, to beware apps that claim to provide interfaces into popular messaging platforms. This latest trio of apps were found to be carrying well-established, open-source XsploitSPY malware.

ESET says that the latest campaign—which it has dubbed eXotic Visit—seems limited to a modest number of users in Asia, but the concept of operations behind the attack is a serious warning for all users, wherever they’re located.

“This active and targeted Android espionage campaign,” the team says, “started in late 2021 and mainly impersonates messaging apps that are distributed through dedicated websites and Google Play.”

The malicious apps have been removed from Google Play, but that doesn’t mean they won’t still be on devices or available from third-party stores. Android users should ensure that have Google’s Play Protect as an additional protection against Play Store apps that have sneaked through the store’s defenses or which were found elsewhere.

“Android users are automatically protected against known versions of malware by Google Play Protect,” the company advises, “on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”

XsploitSPY malware promises a full menu of nasty capabilities, including GPS logging, microphone recording, camera access, SMS access, clipboard logging and message notification interception. You do not want this on your device.

The primary motivation of campaigns built around this malware is theft—using banking and other finance app credentials to drain accounts. But the limited, specific nature of this particular campaign seems more likely to be targeted espionage.

ESET’s report includes details of the timeline by which this latest campaign was identified, but it’s the basis of the warning that’s much more important. Such copycat apps or those seeming to offer links to popular, well-established apps are designed to trick users into thinking they’re safe.

The three apps identified this time around are Dink Messenger, SIM Info and Defcom—and any of those that you happen to find on your phone should be deleted right away. If you do find one, make sure you run a security check on your device and keep an eye on your accounts. You would also be well-advised top change bank account and messaging passwords, and to ensure you have MFA enabled.

ESET warns that “XploitSPY is widely available and customized versions have been used by multiple threat actors… However, the modifications found in the apps we describe as part of the eXotic Visit campaign are distinctive and differ from those in previously documented variants of the XploitSPY malware.”

As ever, if you stick to the five golden rules below, you’ll likely stay safe. But keep an eye on your device performance, including battery life and processing speed, and if either change drastically check to see what’s running in the background.

  1. Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load.
  2. Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed?
  3. Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
  4. Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
  5. Do not install apps that link to established apps like WhatsApp unless you know for a fact they’re legitimate—check reviews and online write-ups.
Share.
Exit mobile version