This nasty malware is openly advertised onlineâand yet itâs just been found in three dangerous apps, stealing messages and banking credentials from infected phones…
Another serious warning for Android users this week, to beware apps that claim to provide interfaces into popular messaging platforms. This latest trio of apps were found to be carrying well-established, open-source XsploitSPY malware.
ESET says that the latest campaignâwhich it has dubbed eXotic Visitâseems limited to a modest number of users in Asia, but the concept of operations behind the attack is a serious warning for all users, wherever theyâre located.
âThis active and targeted Android espionage campaign,â the team says, âstarted in late 2021 and mainly impersonates messaging apps that are distributed through dedicated websites and Google Play.â
The malicious apps have been removed from Google Play, but that doesnât mean they wonât still be on devices or available from third-party stores. Android users should ensure that have Googleâs Play Protect as an additional protection against Play Store apps that have sneaked through the storeâs defenses or which were found elsewhere.
âAndroid users are automatically protected against known versions of malware by Google Play Protect,â the company advises, âon by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.â
XsploitSPY malware promises a full menu of nasty capabilities, including GPS logging, microphone recording, camera access, SMS access, clipboard logging and message notification interception. You do not want this on your device.
The primary motivation of campaigns built around this malware is theftâusing banking and other finance app credentials to drain accounts. But the limited, specific nature of this particular campaign seems more likely to be targeted espionage.
ESETâs report includes details of the timeline by which this latest campaign was identified, but itâs the basis of the warning thatâs much more important. Such copycat apps or those seeming to offer links to popular, well-established apps are designed to trick users into thinking theyâre safe.
The three apps identified this time around are Dink Messenger, SIM Info and Defcomâand any of those that you happen to find on your phone should be deleted right away. If you do find one, make sure you run a security check on your device and keep an eye on your accounts. You would also be well-advised top change bank account and messaging passwords, and to ensure you have MFA enabled.
ESET warns that âXploitSPY is widely available and customized versions have been used by multiple threat actors… However, the modifications found in the apps we describe as part of the eXotic Visit campaign are distinctive and differ from those in previously documented variants of the XploitSPY malware.â
As ever, if you stick to the five golden rules below, youâll likely stay safe. But keep an eye on your device performance, including battery life and processing speed, and if either change drastically check to see whatâs running in the background.
- Stick to official app storesâdonât use third-party stores and never change your deviceâs security settings to enable an app to load.
- Check the developer in the appâs descriptionâis it someone youâd like inside your life? And check the reviews, do they look legitimate or farmed?
- Do not grant permissions to an app that it should not need: torches and star-gazing apps donât need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updatesâalways use app stores for installs and updates.
- Do not install apps that link to established apps like WhatsApp unless you know for a fact theyâre legitimateâcheck reviews and online write-ups.