ClickCease AridSpy Malware: Espionage Campaign Using Trojanized Apps

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

AridSpy Malware: Espionage Campaign Using Trojanized Apps

Wajahat Raja

June 27, 2024 - TuxCare expert team

As per recent reports, the threat actor known as Arid Viper has been linked to a sophisticated mobile espionage campaign. This campaign uses trojanized Android apps to spread a spyware variant called AridSpy malware

According to ESET researcher Lukáš Štefanko, this AridSpy malware is distributed through dedicated websites that impersonate various legitimate apps, including messaging apps, a job opportunity app, and a Palestinian Civil Registry app. 

These websites host existing applications that have been compromised by adding AridSpy’s malicious code.

Historical Context and Activity


Arid Viper, suspected to be affiliated with Hamas, is also referred to as APT-C-23, Desert Falcon, Grey Karkadann, Mantis, and Two-tailed Scorpion. This group has been active since 2017 and is known for targeting military personnel, journalists, and dissidents in the Middle East. 

SentinelOne noted last year that Arid Viper continues to thrive in the mobile malware domain. The recent analysis by ESET reveals that AridSpy has evolved into a multi-stage trojan capable of downloading additional payloads from a command-and-control (C2) server through the initial trojanized app.

Recent Campaigns


The espionage campaign has been ongoing since 2022 and includes five distinct campaigns, three of which are still active. These campaigns primarily target users in Palestine and Egypt through fake websites designed to distribute the compromised apps. 

Some of these fake apps masquerade as secure messaging services like LapizaChat, NortirChat, and ReblyChat, which are based on legitimate apps such as StealthChat, Session, and Voxer Walkie Talkie Messenger. Another app mimics the Palestinian Civil Registry.

Detailed Analysis of the AridSpy Malware


The fake Palestinian Civil Registry website (“palcivilreg[.]com”), registered on May 30, 2023, promotes a malicious app that is not a trojanized version of the app available on Google Play. 

Instead, the AridSpy malware uses the legitimate app’s server to retrieve information, indicating that Arid Viper was inspired by the legitimate app’s functionality but developed its own client layer to communicate with the server. 

This app has been advertised through a dedicated Facebook page with 179 followers. In addition, ESET discovered that AridSpy is being spread through a fake job opportunity app on a website (“almoshell[.]website”) registered in August 2023. This app is notable because it does not base its design on any legitimate app. 

Once installed, the malicious app checks for the presence of security software from a hard-coded list and proceeds to download a first-stage payload if none are found. This payload impersonates an update for Google Play Services and operates independently of the initial trojanized app.

Functionality and Impact


The primary role of the first-stage payload is to download a second-stage component that contains the core malicious functionality. This component uses a Firebase domain for command-and-control (C&C) server purposes. 

The malware supports a range of commands to collect data from infected devices and can deactivate itself or perform data exfiltration, depending on whether the device is on a mobile data plan.

Malware Antivirus Protection and Prevention


In response to the threat, Google has assured users that Android devices are protected from AridSpy by Google Play Protect, a built-in malware defense solution that is enabled by default on all devices.



The ongoing activities of Arid Viper highlight the persistent threat posed by sophisticated mobile espionage campaigns. Users are advised to remain vigilant, avoid downloading apps from unofficial sources, and ensure that security features like Google Play Protect are enabled on their devices. 

By staying informed and cautious, users can better protect themselves against such malicious threats.


The sources for this piece include articles in The Hacker News and welivesecurity.

AridSpy Malware: Espionage Campaign Using Trojanized Apps
Article Name
AridSpy Malware: Espionage Campaign Using Trojanized Apps
Discover how the AridSpy malware infiltrates Android devices through trojanized apps, targeting users with sophisticated espionage tactics.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter