Cybercriminals have been modifying open source remote access trojans (RATs) for embedding into seemingly legitimate apps to infiltrate “trusted” app stores

Do not take for granted that apps from official app stores are safe. From November 2021 to end ‘2023, a series of so-called messaging apps passed through the Google Play security checks and were later found by researchers to contain an open-source remote-access trojan (RAT).

The apps in question did offer functional services as bait. However, the XploitSPY trojan embedded in the code could extract contact lists and files; GPS location data; and discover the names of files listed in specific directories related to the camera, downloads, and various messaging apps.

Attackers of compromised Android smart devices could examine file names of interest and extract the actual files remotely from the command-and-control (C2) server. To evade detection by malware scanning teams, the attackers hid malware-linked code such as C2 URLs, within a native library often used in Android app development.

The offensive apps were: Dink Messenger, Sim Info, and Defcom. Additionally, 10 other apps were identified to contain code based on XploitSPY, and all were  taken down from Google Play after official disclosures. Overall, around 380 victims had downloaded the apps from certain websites and Google Play store and created accounts to use the messaging functionality. Because of the targeted nature of the campaign, the number of installs of each app from Google Play had been relatively low: between zero and 45, and apparently primarily targeting a select group of Android users in Pakistan and India.

According to ESET, the firm that discovered the campaign, there has been no indication that the campaign is linked to any known group. However, the chat functionality integrated in the apps is likely to be from the Virtual Invaders threat group. Separately, the open source RAT, XploitSPY, has over the years been customized by threat actors such as the Transparent Tribe advanced-persistent threat group, for embedding into seemingly legitimate apps offering sought-after commercial functions. Additional modifications could be made to increase evasion/obfuscation, emulator detection, and hiding of C2 pointers.