Malicious malware targets Indian and Pakistani mobile users through these mobile apps | Technology and science news

Updated Apr 22, 2024 5:41 PM IST

According to a report by Slovak cybersecurity company ESET, the malware, identified as Android RAT XploitSPY, is distributed via deceptive websites masquerading as legitimate sources of messaging applications.

European researchers have discovered a sophisticated cyber espionage campaign targeting mobile phone users in India and Pakistan. The campaign, active since November 2021, is dependent on distribution malware via websites and the Google App Store, causing users to download fake messaging apps.

According to a report from Slovak cybersecurity company ESET, the malware has been identified as Android RAT XploitSPY is distributed via deceptive websites pretending to be legitimate sources of messaging applications. Users are tricked into downloading .apk files under the guise of getting genuine messaging apps.

The researchers discovered that numerous malicious apps running XploitSPY were available on Google’s app marketplace, uploaded by a GitHub user named Sojal87. These apps, which included clones of popular applications such as ‘Zangi Chat’ and ‘PregnancyTracker’, were later removed by Google after being flagged for malicious activity.

The cyber criminals’ modus operandi involves creating fake web pages that resemble legitimate websites and displaying icons suggesting the availability of cloned apps on platforms such as the Google Play Store. When users click on these icons, they unknowingly download the infected APK files or are redirected to the GitHub profile where they are prompted to download the malware.

Once installed on a device, XploitSPY starts extracting sensitive data such as contact lists, files, GPS location data, and messages, and sends them to a command and control server controlled by the attackers. Victims include individuals seeking treatment at private hospitals and people looking to place orders online, who inadvertently download the malicious apps and compromise their personal information.

The malware’s existence came to light following the discovery of apps running XploitSPY on GitHub, initially flagged by the MalwareHunterTeam. These apps, such as ‘WeTalk’, impersonated popular applications such as WeChat and directed users to download the malicious Android app from the GitHub project. Analysis revealed that these apps contained the promised messaging functionality, along with the malicious code.

The malicious code enables a number of functions such as file access, text messaging, access to call log, device location and Wi-Fi network information, photo and audio recording, and interception of messaging apps (such as WhatsApp and Signal).

Since July 2023, the same GitHub account has been hosting new malicious Android apps with similar malicious code, indicating continued activity from the threat actor behind the campaign. However, the identity of the threat actor remains unknown.

To limit the risk of such cyber espionage campaigns, experts recommend downloading apps only from trusted platforms and verifying the authenticity of files before downloading them from web pages. These precautions can help users protect their devices and personal data from malicious actors.

According to a report by Slovak cybersecurity company ESET, the malware, identified as Android RAT XploitSPY, is distributed via deceptive websites masquerading as legitimate sources of messaging applications.

Related Posts