Malicious Malware Targets Indian and Pakistani Mobile Users Through These Mobile Apps | Technology & Science News
According to a report by Slovakian cybersecurity firm ESET, the malware, identified as Android RAT XploitSPY, is being distributed through deceptive websites posing as legitimate sources of messaging applications.
European researchers have uncovered a sophisticated cyber espionage campaign targeting mobile phone users in India and Pakistan. The campaign, active since November 2021, relies on distributing malware through websites and the Google App Store, tricking users into downloading fake messaging apps.
According to a report by Slovakian cybersecurity firm ESET, the malware, identified as Android RAT XploitSPY, is being distributed through deceptive websites posing as legitimate sources of messaging applications. Users are lured into downloading .apk files under the guise of obtaining genuine messaging apps.
The researchers discovered that numerous malicious apps containing XploitSPY were available on Google’s app marketplace, uploaded by a GitHub user named Sojal87. These apps, including clones of popular applications like ‘Zangi Chat’ and ‘PregnancyTracker’, were later removed by Google after being flagged for malicious activity.
The modus operandi of the cybercriminals involves creating fake web pages resembling legitimate websites and displaying icons suggesting the availability of cloned apps on platforms like the Google Play Store. Upon clicking these icons, users unwittingly download the infected APK files or are redirected to the GitHub profile where they are prompted to download the malware.
Once installed on a device, XploitSPY starts extracting sensitive data such as contact lists, files, GPS location data, and messages, sending them to a command and control server controlled by the attackers. Victims include individuals seeking treatment at private hospitals and those looking to place online orders, who inadvertently download the malicious apps and compromise their personal data.
The malware’s existence came to light after the discovery of apps containing XploitSPY on GitHub, initially flagged by the MalwareHunterTeam. These apps, such as ‘WeTalk’, masqueraded as popular applications like WeChat and directed users to download the malicious Android app from the GitHub project. Upon analysis, it was found that these apps contained the promised messaging functionality along with the malicious code.
The malicious code permits a number of functions, such as file access, SMS messaging, call log access, device location and Wi-Fi network information, photo and audio recording, and message app (such as WhatsApp and Signal) notification intercepting.
Since July 2023, the same GitHub account has hosted new malicious Android apps featuring similar malicious code, indicating ongoing activity by the threat actor behind the campaign. However, the identity of the threat actor remains unknown.
To mitigate the risk posed by such cyber espionage campaigns, experts recommend downloading apps only from trusted platforms and verifying the authenticity of files before downloading them from webpages. These precautions can help users protect their devices and personal data from being compromised by malicious actors.