eXotic Visit spyware hits India, Pakistan

Apr 15 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that eats, sleeps, and breathes cybersecurity. We’re well fun at parties πŸ€“

Β Today’s hottest cybersecurity news stories:

  • πŸ“± Android users beware! eXotic Visit spyware hits India, Pakistan πŸ•Œ

  • πŸ‘¨β€πŸ’» Brazen hackers trick devs with fake popularity scam on GitHub ⚠️

  • 🍏 Apple to the rescue! Spyware alerts updated to detect mercenary attacks πŸ•΅οΈ

Fancy a trip, buddy? πŸ‘³πŸΎβ€β™‚οΈ

🚨 Beware of eXotic Visit: Android Malware Campaign Strikes South Asia πŸ“±

An ongoing Android malware campaign named eXotic Visit has emerged as a significant threat to users in South Asia, particularly those in India and Pakistan. This malicious operation, active since November 2021, employs deceptive tactics to distribute malware via dedicated websites and the Google Play Store. πŸ›‘πŸ“²

Virtual Invaders

Tracked by Slovak cybersecurity firm ESET under the alias "Virtual Invaders," the group orchestrating the eXotic Visit campaign remains unidentified. The campaign revolves around the deployment of seemingly legitimate apps, which harbour malicious code derived from the Android XploitSPY RAT. πŸ’ΌπŸ•΅οΈβ€β™‚οΈ

Targeted Deception

The eXotic Visit campaign adopts a highly targeted approach, with the apps hosted on Google Play boasting minimal installations ranging from zero to 45. Notably, these deceptive apps pose as popular messaging services like Alpha Chat, ChitChat, and Signal Lite, among others. Victims, estimated at around 380, unknowingly download and utilise these apps for messaging purposes. πŸ“©πŸ“ˆ

Diverse Arsenal

In addition to masquerading as messaging platforms, eXotic Visit employs apps like Sim Info and Telco DB, offering SIM owner details based on Pakistani phone numbers. Furthermore, some apps impersonate a food ordering service in Pakistan and a legitimate Indian hospital, Specialist Hospital (now rebranded as Trilife Hospital). πŸ₯πŸ“²

XploitSPY: The Malicious Core

Derived from the open-source Android XploitSPY RAT, the malware boasts a wide range of capabilities, including data exfiltration, GPS tracking, microphone recording, and interception of app notifications. It also employs obfuscation techniques and emulator detection to evade detection by security measures. πŸ•΅οΈβ€β™€οΈπŸ”’

Stealthy Distribution Channels

The distribution of these malicious apps initially started on dedicated websites and later infiltrated the official Google Play Store. Victims are lured into downloading these apps through deceptive tactics, although the precise method remains unclear. The primary objective of the eXotic Visit campaign appears to be espionage, primarily targeting individuals in Pakistan and India. πŸŒπŸ”

As the eXotic Visit campaign continues to evolve, users in South Asia are urged to exercise caution when downloading apps, remain vigilant against suspicious activity, and employ robust cybersecurity measures to safeguard their devices and personal information. πŸ’»πŸ›‘οΈ

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Git to f*ck! 😑😑😑

🚨 GitHub Under Siege: Malicious Repositories Threaten Open-Source Ecosystem πŸ”

Threat actors have launched a new assault on the open-source software supply chain, leveraging GitHub's search functionality to dupe unsuspecting users into downloading repositories housing malware.

According to a report from Checkmarx, this latest tactic involves embedding malicious code within Microsoft Visual Code project files, orchestrating a sophisticated scheme to propagate malware and compromise developers' systems. πŸ›‘πŸ’»

Tricking the Unwary

Security researcher Yehuda Gelb shed light on the modus operandi of these attackers, who create malicious repositories masquerading as popular projects and topics.

By employing tactics like automated updates and artificial boosting of search rankings through fake stars, the threat actors ensure that their repositories surface prominently in GitHub's search results. This tactic aims to exploit developers' trust in the platform, luring them into downloading malicious code under the guise of legitimate projects. πŸŒŸπŸ•΅οΈβ€β™‚οΈ

A Stealthy Approach

Unlike previous incidents where attackers inflated repositories with excessive stars, the perpetrators of this campaign opt for a more subtle approach to avoid detection. By maintaining a modest number of fake stars, they evade suspicion while still lending an air of credibility to their fraudulent repositories. This strategy underscores the evolving sophistication of threat actors in their efforts to infiltrate the open-source ecosystem. πŸ•΅οΈβ€β™‚οΈπŸ›‘οΈ

Downloading Danger

Some of these malicious repositories have been observed distributing encrypted .7z files containing executables designed to launch malware payloads. Notably, the malware shares similarities with the notorious Keyzetsu clipper, capable of redirecting cryptocurrency transactions to attacker-controlled wallets.

This underscores the urgent need for developers to exercise caution when downloading source code from open-source repositories and not rely solely on reputation metrics for evaluation. βš οΈπŸ’°

A Growing Threat

The exploitation of GitHub's search functionality to distribute malware represents an ongoing trend that poses a significant threat to the open-source ecosystem.

By manipulating repository properties and leveraging GitHub's platform, threat actors continue to target unsuspecting users, highlighting the need for enhanced vigilance and security measures within the developer community. πŸš¨πŸ”’

As developers navigate the perilous landscape of open-source software, it's imperative to remain vigilant against such threats and adopt robust security practices to safeguard against malicious attacks. πŸ’»πŸ›‘οΈ

🎣 Catch of the Day!! 🌊🐟🦞

πŸƒΒ The Motley Fool: β€œFool me once, shame on β€” shame on you. Fool me β€” you can't get fooled again.” Good ol’ George Dubya πŸ˜‚ Let us tell who’s not fooling around though; that’s the CrΓΌe πŸ‘€ at Motley Fool. You’d be a fool (alright, enough already! πŸ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! πŸ› Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets πŸ€‘Β (LINK)


🚡 Wander: Find your happy place. Cue Happy Gilmore flashback πŸŒοΈβ›³πŸŒˆπŸ•ŠοΈ Mmmm Happy Place… πŸ˜‡ So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)


🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts βšΎπŸ‘»πŸΏ (Great movie, to be fair πŸ™ˆ). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty πŸ˜‘). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho πŸ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

An Apple alert a day, keeps the spyware away πŸ˜‰

🚨 Apple Strengthens Spyware Alert System Amid Rising Threats πŸ“±

Apple has bolstered its documentation on its spyware threat notification system, now explicitly warning users when they may have been targeted by individualised attacks. The update underscores the escalating danger posed by mercenary spyware, particularly tools like Pegasus developed by companies like NSO Group, utilised by state actors for precisely targeted attacks on journalists, activists, politicians, and diplomats. πŸš¨πŸ•΅οΈβ€β™‚οΈ

Targeted Threats on the Rise

The revised documentation reflects a shift in focus from state-sponsored attacks to individually targeted threats, acknowledging the ongoing global nature of mercenary spyware assaults. Despite being deployed against a small number of individuals, these attacks are characterised by extreme sophistication and worldwide reach, making them among the most advanced digital threats today. πŸŒπŸ’Ό

Global Alert

Apple's revision coincided with threat notifications sent to iPhone users in 92 countries, signalling a concerted effort to inform and assist potential victims of such attacks. While the company began issuing threat notifications in November 2021, it refrains from attributing the attacks to specific threat actors or regions. This underscores the complexity of addressing the misuse and proliferation of commercial spyware on a global scale. πŸ“’πŸ”

Rising Exploitation

A recent report by Google's Threat Analysis Group and Mandiant revealed that commercial surveillance vendors were behind a significant portion of zero-day vulnerabilities discovered in 2023. These vulnerabilities, primarily targeting web browsers and mobile devices, underscore the growing trend of threat actors leveraging zero-days for evasion and persistence. As security investments increase, threat actors are adapting, bypassing security measures to infiltrate target devices. πŸ›‘οΈπŸ”“

πŸ—žοΈ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles