Arid Viper Initiates Mobile Surveillance Operation with AridSpy Malware
An individual known as Arid Viper has been linked to a mobile surveillance initiative involving trojanized Android applications to deploy a spyware variant named AridSpy.
“The malicious software is spread through dedicated websites pretending to be various messaging platforms, a recruitment application, and a Civil Registry application for Palestine,” stated ESET analyst Lukáš Štefanko in a report shared today. “Frequently, these are existing applications that have been tampered with by adding AridSpy’s destructive code.”
The operation is reported to have encompassed up to five campaigns since 2022, with earlier versions of AridSpy described by Zimperium and 360 Beacon Labs. Three out of the five operations are ongoing.
Arid Viper, an alleged Hamas-linked operative also recognized as APT-C-23, Desert Falcon, Grey Karkadann, Mantis, and Two-tailed Scorpion, has a substantial history of utilizing mobile malicious software since its emergence in 2017.
“Historically, Arid Viper has targeted military personnel in the Middle East, along with reporters and dissenters,” highlighted SentinelOne late last year, indicating that the faction “persists in flourishing in the field of mobile malware.”
An examination by ESET into the latest iteration of AridSpy shows that it has evolved into a multi-step trojan capable of fetching additional payloads from a command-and-control (C2) server via the initial, trojanized app.
The assaults predominantly involve targeting individuals in Palestine and Egypt through counterfeit websites serving as hubs for the infected applications.
Some of the bogus yet operational apps declare to be secure communication services like LapizaChat, NortirChat, and ReblyChat, derived from legitimate apps like StealthChat, Session, and Voxer Walkie Talkie Messenger, while another app claims to originate from the Palestinian Civil Registry.
The website for the Palestinian Civil Registry (“palcivilreg[.]com”), established on May 30, 2023, has also been promoted through a specific Facebook page with 179 followers. The app distributed via the site takes inspiration from an identically named application obtainable on the Google Play Store.
“The malicious application accessible on palcivilreg[.]com is not a tampered version of the application found on Google Play; nevertheless, it uses that app’s lawful server to gather data,” Štefanko explained. “This implies that Arid Viper drew inspiration from the app’s features but built its own client interface to interact with the legitimate server.”
ESET also unveiled AridSpy being propagated as a recruitment app from a website (“almoshell[.]website”) registered in August 2023. A noteworthy aspect of the app is that it lacks any basis from a legitimate application.
Upon setup, the malicious application inspects the existence of security software against a predefined list, proceeding to fetch an initial-stage payload only if no such programs are detected on the device. This payload masquerades as an update for Google Play Services.
“This payload operates autonomously without requiring the trojanized application to be present on the device,” Štefanko clarified. “Consequently, if the victim removes the initial trojan application, such as LapizaChat, AridSpy remains unaffected.”
The primary duty of the first stage is to retrieve the subsequent component, hosting the malevolent operations and utilizing a Firebase domain for C2 communications.
The malware offers various directives to collect information from the devices and can deactivate itself or conduct data exfiltration when connected to a mobile data network. Data compromise is triggered either through directives or under specific predefined conditions.
“When the user locks or unlocks the device, AridSpy captures an image using the front camera and relays it to the exfiltration C&C server,” Štefanko added. “Images are captured only if more than 40 minutes have elapsed since the previous capture and the battery level exceeds 15%.”
About Author
