Keypoints
- eXotic Visit is a targeted Android espionage campaign active from late 2021 through 2023 that trojanized functional messaging apps with XploitSPY-derived code.
- Distribution channels included dedicated websites (ngrok and custom domains), GitHub-hosted APKs and a small number of apps uploaded to Google Play; installs per app were low, indicating targeted victims.
- Malicious apps exfiltrated contacts, files (including targeted extraction by filename), call logs, SMS, installed apps list, Wi‑Fi scans, GPS/location, camera images and microphone audio.
- Operators (Virtual Invaders) customized XploitSPY with code obfuscation, emulator detection (redirects to fake C2), a native library to encode/hide C2 addresses, and Firebase-based C2 retrieval.
- Network infrastructure included ngrok tunnels and attacker-controlled domains (e.g., letchitchat[.]info, zee.xylonn[.]com) and several Amazon-hosted IPs used for C2 and distribution.
- ESET found ~380 compromised accounts across the apps, shared IoCs with Google as an App Defense Alliance partner, and had identified and helped remove multiple malicious apps from Google Play.
MITRE Techniques
- [T1624.001] Event Triggered Execution: Broadcast Receivers – XploitSPY registers to run on device startup by receiving BOOT_COMPLETED (‘…registers to receive the BOOT_COMPLETED broadcast intent to activate on device startup.’)
- [T1575] Native API – A native library is used to conceal C2 addresses from static analysis (‘…uses a native library to hide its C&C servers.’)
- [T1633.001] Virtualization/Sandbox Evasion: System Checks – The malware detects emulators and returns fake C2 addresses to evade sandboxes (‘…can detect whether it is running in an emulator and adjust its behavior accordingly.’)
- [T1418] Software Discovery – The malware enumerates installed applications on the device (‘…can obtain a list of installed applications.’)
- [T1420] File and Directory Discovery – XploitSPY lists files and directories on external storage to find items of interest (‘…can list files and directories on external storage.’)
- [T1533] Data from Local System – The trojan can exfiltrate files from the device to C2 servers (‘…can exfiltrate files from a device.’)
- [T1517] Access Notifications – The malware intercepts notifications and attempts to collect messages from messaging apps (‘…can collect messages from various apps.’)
- [T1429] Audio Capture – The app can record audio from the device microphone (‘…can record audio from the microphone.’)
- [T1437.001] Application Layer Protocol: Web Protocols – XploitSPY communicates with its C2 over HTTPS (‘…uses HTTPS to communicate with its C&C server.’)
- [T1646] Exfiltration Over C2 Channel – Data exfiltration occurs over the C2 channel using HTTPS/websocket mechanisms (‘…exfiltrates data using HTTPS.’)
Indicators of Compromise
- [SHA-1 hashes] Known malicious APKs – C9AE3CD4C3742CC3353AF353F96F5C9E8C663734 (alphachat.apk), 7282AED684FB1706F026AA85461FB852891C8849 (dinkmessenger_v1_3.apk), and 18 more hashes listed in the report.
- [Filenames / Package names] Trojanzied app examples – alphachat.apk, dinkmessenger.apk, com.infinitetechnology.telcodb (Telco DB), com.egoosoft.siminfo (SimInfo).
- [Domains] Distribution and C2 domains – letchitchat[.]info (distribution), zee.xylonn[.]com (C2); phpdownload.ngrok[.]io used as C2 endpoint.
- [IPs] Hosting and C2 infrastructure – 3.13.191[.]225 (phpdownload.ngrok[.]io, C2), 195.133.18[.]26 (letchitchat[.]info, distribution website).
eXotic Visit initial access relied on social engineering to get users to install fully functional-looking messaging or utility apps from dedicated websites, GitHub repositories and, in several cases, Google Play. The malicious APKs bundle customized variants of the open-source Android RAT XploitSPY and prompt account creation while obtaining location (via api.ipgeolocation.io) and permissions needed for data collection.
Once installed, the XploitSPY variants support remote commands to list files, enumerate specific directories (Camera, Downloads, Screenshots, Telegram, WhatsApp paths, GBWhatsApp, WhatsApp Business), extract targeted files by filename, exfiltrate arbitrary files, retrieve contacts, SMS and call logs, capture audio and images, and collect installed-app and Wi‑Fi information. Commands are represented as string opcodes (examples: 0xCO for contacts, 0xDA to exfiltrate a specified file, 0xOF to list files in targeted directories, 0xLO for GPS, 0xIP for IP-based geolocation); larger non-image files (>2MB) were routed to a secondary C2 for exfiltration while smaller files used a websocket to the primary C2.
To evade analysis and hide infrastructure, operators implemented emulator detection that returns fake C2 addresses when a sandbox is detected, moved C2 retrieval to Firebase to avoid hardcoding, and used a native library (e.g., defcome-lib.so) that returns base64-encoded strings decoded at runtime to conceal real C2 URLs. Network infrastructure included ngrok tunnels and Amazon-hosted endpoints (multiple IPs/domains) and attacker-controlled domains (letchitchat[.]info, zee.xylonn[.]com). C2 and exfiltration used HTTPS on non-standard ports and web sockets, enabling stealthy command-and-control and data extraction from targeted devices.