Researchers at cybersecurity provider ESET detected five cyber espionage campaigns starting in 2022, targeting Android users with trojanized apps in Egypt and Palestine.
In a new report, ESET provided further details on these campaigns, which it attributed with medium confidence to the Arid Viper hacking group.
The ESET researchers named the multistage spyware used to infect the target Android apps ‘AridSpy.’
Trojanized Messaging Apps
These cyber espionage campaigns rely on distribution websites from which victims can download and manually install Android applications.
Some apps provided by these websites are seemingly legitimate chat apps trojanized with malicious code designed for espionage purposes – this is the AridSpy malware.
These malicious apps impersonate NortirChat, LapizaChat, ReblyChat, PariberyChat and RenatChat.
When ESET published its analysis, the campaigns using the first three trojanized chat apps were still ongoing, while the latter two were inactive.
“Note that these malicious apps have never been offered through Google Play and are downloaded from third-party sites. To install these apps, the potential victim is requested to enable the non-default Android option to install apps from unknown sources,” the ESET researchers added.
Fake ‘Palestinian Civil Registry’
In addition to trojanized messaging apps, the hackers behind AridSpy also used two seemingly legitimate apps distributed on the same dedicated websites: a ‘Palestinian Civil Registry’ app and an Arabic job opportunity app.
This former is inspired by an existing app on the Google Play Store, while the latter is a pure invention from the hackers.
Both include malicious links leading the victims to install the AridSpy code.
AridSpy’s Technical Features
Earlier analyses of then-unnamed AridSpy from Zimperium in 2021 and 360 Beacon Labs in 2022 showed previous versions of the spyware only consisted of a single stage. It was notably involved in malicious campaigns targeting the FIFA World Cup in Qatar in December 2022.
The ESET blog reveals that the spyware has since evolved to a more advanced payload comprising a three-stage Trojan with additional payloads downloaded from the command and control (C2) server by the initial trojanized app.
The purpose of the second-stage payload is espionage via victim data exfiltration.
AridSpy also has a hardcoded internal version number that differs in these five campaigns and from other samples disclosed before.
“This information suggests that AridSpy is maintained and might receive updates or functionality changes,” ESET researchers added.
ESET provided a more detailed technical analysis of AridSpy.
Victimology and Attribution
The researchers detected six occurrences of AridSpy, all targeting users in Palestine and Egypt.
“The majority of the spyware instances registered in Palestine were for the malicious Palestinian Civil Registry app, with one other detection not being part of any campaign mentioned in this blog post.
We then found the same first-stage payload but with a different package name in Egypt. There was also another first-stage payload detected in Egypt, one that uses the same [C2] servers as the samples in the LapizaChat and job opportunity campaigns,” the ESET blog reads.
ESET’s attribution to Arid Viper is based on two indicators:
- AridSpy targeted organizations in Palestine and Egypt, which fits a subset of Arid Viper’s typical targeting
- Multiple AridSpy distribution websites use a unique, malicious JavaScript file named myScript.js, which has been previously linked to Arid Viper by 360 Beacon Labs and the FOFA network search engine
Who is Behind Arid Viper?
Arid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, is a cyber espionage group that has been targeting countries in the Middle East since at least 2013.
The group’s malicious activity was first reported in 2015.
The group typically targets individuals to exfiltrate sensitive and confidential data with specific expertise in developing malware and spyware for Android, iOS, and Windows platforms.
It has been known to disguise its malware as updates for popular applications, such as WhatsApp, Signal, or Telegram. They may also send phishing emails that contain links to malicious websites.
The location of the Arid Viper hackers remains unknown.
Read more: Arid Viper Campaign Targets Arabic-Speaking Users