Security experts from ESET have unveiled an ongoing cyber-espionage effort, dubbed “eXotic Visit,” which has been covertly targeting Android users in Pakistan and India since November 2021. The campaign involves malicious applications masquerading as messaging services on the Google Play store and various dedicated websites.

These deceptive apps, while offering genuine functionalities to lure users, are embedded with the XploitSPY malware—a customized version of an open-source Android remote access tool (RAT). Despite functioning as ordinary messaging apps, they are capable of extracting sensitive data such as contact lists, GPS locations, and files from devices, particularly focusing on directories associated with camera, downloads, and popular messaging apps like Telegram and WhatsApp.

ESET’s investigation revealed that these apps were precisely engineered to avoid detection by integrating unique chat functionalities believed to be developed by the threat actors, known as “Virtual Invaders.” Additionally, the malware employs a native library typically used for enhancing app performance to conceal critical information such as command and control (C&C) server addresses, further complicating security analysis efforts.

The targeted nature of the campaign is reflected in the low installation numbers; the malicious apps had minimal downloads ranging from zero to 45 before they were removed from the Google Play store. ESET’s partnership with the Google App Defense Alliance led to the identification and subsequent removal of ten additional apps from the store, all containing code based on XploitSPY.

Despite the targeted approach, approximately 380 victims have been tricked into downloading these apps and setting up accounts, revealing the effectiveness of the espionage campaign. ESET’s findings also indicate that while XploitSPY is widely available and used by several threat groups, the modifications observed in the “eXotic Visit” apps display unique characteristics, setting them apart from previously known variants of the malware.

As the cyber threats continue to evolve, ESET advises Android users in the affected regions to remain vigilant and cautious of the apps they download, even from seemingly trustworthy sources like the Google Play store.