Watch out for these fake messaging apps on Android — they could be spying on you

Threat actors were targeting victims in Pakistan and India

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurity researchers from ESET found a handful of malicious Android apps that were spying on people and stealing sensitive information from their mobile devices.

The researchers said that a new threat actor group, which they dubbed Virtual Invaders, was active from late 2021, creating a number of Android apps posing as communications products, which also came with the open-source XploitSPYmalware.

The hackers called their campaign “eXotic Visit.”

Low download count

On the surface, the apps worked as intended, offering rudimentary communications services. However, behind the curtain lay malware that extracted people’s contact lists and files, the device’s GPS locations, file names listed in specific directories related to the camera, downloads, and different messaging apps such as Telegram, orWhatsApp.

If some file names showed promise, the attackers could extract them as well, it was said.

To build the malware, the attackers seem to have taken the open-source Android Remote Access Trojan (RAT), XploitSPY, and modified it. While the apps offered rudimentary services, they came with a number of fake functionalities, too. Throughout the years, the attackers added new features, including better obfuscation techniques, emulator detectors, and more.

There were more than a dozen apps, ESET said, with the three biggest ones being called Dink Messenger, Sim Info, and Defcom. All were being distributed via standalone websites, as well asGoogle Play, but all were subsequently removed fromGoogle’s app repository.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Still, the chances of being infected by any of these are relatively low. Apparently, the attackers only targeted individuals in Pakistan and India, and were quite specific in their attacks. In total, there were roughly 380 downloads from the websites and the Play store. Each app has had up to 45 downloads. The distribution methods were not discussed, but they were most likely phishing and social engineering.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case