AridSpy Malware: Espionage Campaign Using Trojanized Apps
As per recent reports, the threat actor known as Arid Viper has been linked to a sophisticated mobile espionage campaign. This campaign uses trojanized Android apps to spread a spyware variant called AridSpy malware.
According to ESET researcher Lukáš Štefanko, this AridSpy malware is distributed through dedicated websites that impersonate various legitimate apps, including messaging apps, a job opportunity app, and a Palestinian Civil Registry app.
These websites host existing applications that have been compromised by adding AridSpy’s malicious code.
Historical Context and Activity
Arid Viper, suspected to be affiliated with Hamas, is also referred to as APT-C-23, Desert Falcon, Grey Karkadann, Mantis, and Two-tailed Scorpion. This group has been active since 2017 and is known for targeting military personnel, journalists, and dissidents in the Middle East.
SentinelOne noted last year that Arid Viper continues to thrive in the mobile malware domain. The recent analysis by ESET reveals that AridSpy has evolved into a multi-stage trojan capable of downloading additional payloads from a command-and-control (C2) server through the initial trojanized app.
Recent Campaigns
The espionage campaign has been ongoing since 2022 and includes five distinct campaigns, three of which are still active. These campaigns primarily target users in Palestine and Egypt through fake websites designed to distribute the compromised apps.
Some of these fake apps masquerade as secure messaging services like LapizaChat, NortirChat, and ReblyChat, which are based on legitimate apps such as StealthChat, Session, and Voxer Walkie Talkie Messenger. Another app mimics the Palestinian Civil Registry.
Detailed Analysis of the AridSpy Malware
The fake Palestinian Civil Registry website (“palcivilreg[.]com”), registered on May 30, 2023, promotes a malicious app that is not a trojanized version of the app available on Google Play.
Instead, the AridSpy malware uses the legitimate app’s server to retrieve information, indicating that Arid Viper was inspired by the legitimate app’s functionality but developed its own client layer to communicate with the server.
This app has been advertised through a dedicated Facebook page with 179 followers. In addition, ESET discovered that AridSpy is being spread through a fake job opportunity app on a website (“almoshell[.]website”) registered in August 2023. This app is notable because it does not base its design on any legitimate app.
Once installed, the malicious app checks for the presence of security software from a hard-coded list and proceeds to download a first-stage payload if none are found. This payload impersonates an update for Google Play Services and operates independently of the initial trojanized app.
Functionality and Impact
The primary role of the first-stage payload is to download a second-stage component that contains the core malicious functionality. This component uses a Firebase domain for command-and-control (C&C) server purposes.
The malware supports a range of commands to collect data from infected devices and can deactivate itself or perform data exfiltration, depending on whether the device is on a mobile data plan.
Malware Antivirus Protection and Prevention
In response to the threat, Google has assured users that Android devices are protected from AridSpy by Google Play Protect, a built-in malware defense solution that is enabled by default on all devices.
Conclusion
The ongoing activities of Arid Viper highlight the persistent threat posed by sophisticated mobile espionage campaigns. Users are advised to remain vigilant, avoid downloading apps from unofficial sources, and ensure that security features like Google Play Protect are enabled on their devices.
By staying informed and cautious, users can better protect themselves against such malicious threats.
The sources for this piece include articles in The Hacker News and welivesecurity.


