The digital landscape is facing a growing threat as malicious actors increasingly target Android users with sophisticated spyware. Recent investigations have uncovered a targeted espionage campaign, dubbed “eXotic Visit,” and a separate wave of trojanized messaging apps, highlighting the vulnerability of mobile devices and the urgent demand for heightened cybersecurity awareness. These campaigns, primarily focused on users in South Asia but with the potential for global reach, employ deceptive tactics – including romance scams and the impersonation of legitimate applications – to gain access to sensitive data.
The threat isn’t limited to data theft. Experts warn that these attacks can grant attackers complete control over compromised devices, enabling them to intercept communications, steal files and even remotely access microphones and cameras. This level of intrusion poses a significant risk to personal privacy, financial security, and national security, particularly as these campaigns evolve and adapt to evade detection. The sophistication of the malware used, including the open-source XploitSPY RAT and the VajraSpy framework, demonstrates a concerning level of technical expertise among the threat actors involved.
eXotic Visit: A Targeted Espionage Campaign
Researchers at ESET first identified the eXotic Visit campaign in late 2021, noting its primary method of distribution through dedicated websites and, for a period, the Google Play Store. ESET’s analysis reveals that the campaign focuses on impersonating messaging applications, luring users into downloading apps that appear functional but secretly harbor malicious code. The primary targets appear to be individuals in Pakistan and India, though the potential for wider distribution remains a concern.
The malware utilized in eXotic Visit is based on the open-source Android XploitSPY RAT, allowing attackers to remotely control infected devices. ESET researchers have linked various samples of the malware through shared command-and-control (C&C) infrastructure, unique malicious code updates, and a consistent C&C admin panel. The threat actors behind this campaign, internally tracked by ESET as “Virtual Invaders,” have continuously refined their techniques, incorporating obfuscation, emulator detection, and methods to conceal C&C addresses. This ongoing development suggests a dedicated and resourceful adversary.
Trojanized Messaging Apps: A Cryptocurrency Focus
In a separate but equally concerning development, ESET researchers uncovered a campaign distributing trojanized versions of popular messaging apps like WhatsApp and Telegram. The research, published in March 2023, details how attackers created copycat websites mimicking the official Telegram and WhatsApp platforms to distribute these malicious applications, primarily targeting Android and Windows users. These apps are designed to steal cryptocurrency funds from victims.
The malware functions as a “clipper,” intercepting cryptocurrency wallet addresses copied to the clipboard and replacing them with the attacker’s own addresses. Some variants even employ optical character recognition (OCR) technology to extract recovery phrases from screenshots stored on compromised devices, further increasing the risk of financial loss. The campaign primarily targets Chinese-speaking users, likely due to the restrictions on Telegram and WhatsApp within China, where both platforms have been blocked since 2015 and 2017, respectively. Attackers utilized Google Ads and fraudulent YouTube channels to redirect users to these malicious websites.
Romance Scams and the WaveChat Threat
More recently, in January 2026, ESET researchers uncovered a particularly insidious Android spyware campaign leveraging romance scams to target individuals in Pakistan. The campaign utilizes fake dating apps to lure victims into downloading malicious software. Attackers initiate conversations with potential victims, building trust through fabricated romantic relationships before convincing them to install a compromised messaging application.
Among the applications identified, WaveChat stands out as particularly dangerous. Researchers discovered that WaveChat possesses the capability to secretly record audio, even when the device’s microphone is ostensibly disabled. This alarming feature allows attackers to eavesdrop on conversations in the victim’s surroundings without their knowledge, representing a severe breach of privacy. The other applications identified in the campaign include Privee Talk, MeetMe, Let’s Chat, Quick Chat, and Rafaqat. These apps, once installed, can intercept phone calls, steal photos and files, read text messages, and extract encrypted conversations from other messaging apps.
What Can These Apps Do?
Once installed, these malicious applications grant attackers a wide range of capabilities, including:
- Intercepting and recording phone calls
- Stealing photos and files stored on the device
- Reading text messages
- Extracting conversations from encrypted messaging applications
Protecting Yourself from Spyware
Given the increasing sophistication and prevalence of these threats, it is crucial for Android users to take proactive steps to protect their devices and personal information. Experts recommend the following measures:
- Remove Suspicious Apps: Immediately uninstall any of the identified applications (Privee Talk, MeetMe, Let’s Chat, Quick Chat, Rafaqat, Chit Chat, and WaveChat) if they are present on your device.
- Exercise Caution When Downloading Apps: Avoid downloading applications from unknown or untrusted sources. Stick to official app stores like the Google Play Store and carefully review app permissions before installation.
- Review App Permissions: Regularly review the permissions granted to installed applications. Revoke any permissions that seem unnecessary or excessive.
- Limit Microphone Access: Restrict microphone access to only essential applications and consider disabling it when not in employ.
- Stay Informed: Keep abreast of the latest cybersecurity threats and best practices by following reputable security blogs and news sources.
The threat landscape is constantly evolving, and these campaigns represent just the latest examples of the lengths to which malicious actors will go to compromise user privacy and security. Staying vigilant and adopting a proactive security posture are essential for mitigating these risks.
As ESET continues to monitor the activities of “Virtual Invaders” and other threat actors, further insights into their tactics and targets are expected. The ongoing investigation will likely reveal new vulnerabilities and necessitate further adjustments to security protocols. Users should remain cautious and prioritize the protection of their personal data in the face of these evolving threats.
The next update from ESET regarding the eXotic Visit campaign is anticipated in late March 2026, where researchers plan to release a more detailed technical analysis of the malware’s capabilities and potential mitigation strategies. Stay informed and share this information with your network to facilitate protect others from falling victim to these sophisticated attacks.