XploitSPY: New Android spyware designed by ethical-ish hackers
As the COVID-19 lockdown continues, there has been an increasing number of mobile threats appearing on the threat landscape. Android devices are by far the main targets of threat actors which have been delivering fake apps in the form of malicious .APK files to install banking Trojans, like Cerberus, as well as a number of spyware and SMS worms.
ESET's malware expert, Lukas Stefanko, along with Malware Hunter Team, have uncovered and analysed an interesting new open-source Android Trojan called XploitSPY.
According to the researchers the malware has been designed by three ethical hackers from India, who reportedly work for a cybersecurity company. However, because Malware Hunter Team has found it being exploited in the wild, either these developers or other nefarious users have decided to use the malware for their own cybercriminal means.XploitSPY - new open-source Android Spying Tool-already spreads on UND forums-developed by cyber security solutions company from #India 🇮🇳 (3 ethical hackers)-they have 25years of exper. but based on photo they are under 30— Lukas Stefanko (@LukasStefanko) April 13, 2020
I was able to find the site, which uses the Heroku platform-as-a-service (PaaS), the same serice used to host control panels for the spyware:
I went ahead and checked the relationships this domain has on VirusTotal out of curiosity:
What I found was a number of antivirus detections for active use of XploitSPY in the wild, 10 in total. Along with the hits for XploitSPY was another Android malware called "instaPlus.apk" and "InstaPlusSettings.apk". This was more than likely those using the spyware had renamed it and were masquerading as a fake premium version of Instagram. On the developer's GitHub was a Instagram credential harvesting tool as well:
Some of XploitSPY's features includes:
Other security researchers noted that XploitSPY appears to be a fork of another Android malware called L3MON, just with upgraded features for further data capture and active spying capabilities.
Here's a view of what the control panels may look like for XploitSPY:
The group behind XploitSPY are calling themselves XploitWizer and claim to be ethical hackers on their GitHub account and that XploitSPY is for an "educational purpose" only:
Organisations need to make sure company devices are setup with reinforced security policies to defend against these types of threats, especially during the COVID-19 lockdown where users are on home WiFi and mobile data, away from corporate detection systems.
I have collected and attached IOCs to my OTX Alienvault account here.
Special thanks to Lukas Stefanko of ESET and Malware Hunter Team who have been doing some awesome work spotting these Android spyware and banking Trojans in the wild, quickly analysing, and reporting them publicly. We salute you.