Xploitspy

XploitSPY is a malicious Remote Access Trojan (RAT) that was first uploaded to GitHub in April 2020 by a user named RaoMK, who was reportedly associated with an Indian cybersecurity solutions company, XploitWizer. The malware is based on L3MON, a defunct open-source Android RAT inspired by AhMyth, and was primarily distributed by Virtual Invaders through bundling with mobile applications, especially messaging apps. This method lured unsuspecting victims into downloading the malware, often without their knowledge. The primary purpose of XploitSPY is cyber espionage, as discovered by researchers from the cybersecurity firm ESET. They found that this open-source malware targeted Android users primarily in India and Pakistan. Once installed, XploitSPY has extensive espionage capabilities, including the ability to extract SMS messages, device contact lists, call logs, and messages from various apps. It can also track the device's location, obtain clipboard contents, and record audio from the device's microphone. XploitSPY communicates with its Command & Control (C&C) server using HTTPS requests over ports 21,572, 28,213, or 21,656, ensuring secure and covert communication. Data exfiltration is also performed using HTTPS, further enhancing the stealth aspect of the malware's operation. The use of HTTPS for both communication and data exfiltration makes it harder for traditional network security measures to detect the malicious activities of XploitSPY.