An advanced persistent threat (APT) group linked to Hamas, known as Arid Viper, has been identified using Android spyware called AridSpy since 2022. Recently, researchers have unveiled the previously undisclosed later stages of this malware, shedding light on its distribution and capabilities.

According to a report by ESET, AridSpy is now being spread through Trojanized messaging apps, marking a new development in the group’s tactics. The malware has evolved into a multistage trojan, where additional payloads are downloaded from a command-and-control server by the initial trojanized app. This shift in strategy adds complexity to the malware and makes it harder to detect and mitigate.

The researchers conducted a detailed analysis of five distinct AridSpy campaigns targeting Android users in Egypt and Palestine. These campaigns often disguise the spyware within seemingly legitimate applications, making it challenging for users to identify the threat. In Palestine, victims were lured with advertisements for a malicious app posing as the Palestinian Civil Registry, while in Egypt, the spyware was concealed in an app called LapizaChat and fake job postings. These apps were distributed through third-party sites controlled by the threat actors rather than Google Play, further complicating detection efforts.

Once the second-stage data exfiltration process begins, the analysis revealed that Arid Viper can gather a plethora of sensitive information from infected devices. This includes location data, contact lists, call logs, text messages, photo thumbnails, clipboard contents, notifications, video recording thumbnails, and even the ability to record audio and take pictures, giving cybercriminals extensive access to the victim’s device.

Past instances of AridSpy being used in campaigns targeting the FIFA World Cup held in Qatar and other activities across the Middle East have been documented. ESET’s report emphasizes that dedicated sites are still hosting at least three ongoing AridSpy espionage campaigns, indicating the persistent and evolving nature of the threat.

Moreover, the researchers suggest that Arid Viper continues to refine and enhance the AridSpy code over time, introducing new updates and malicious code changes to ongoing campaigns. This ongoing maintenance and potential for functional modifications suggest that AridSpy remains an active and evolving threat that requires continuous monitoring and mitigation efforts.

In conclusion, the revelations from the latest report highlight the sophistication and persistence of the Arid Viper APT group and their use of AridSpy to conduct targeted espionage campaigns. It underscores the importance of staying vigilant against such threats and implementing robust cybersecurity measures to protect against advanced malware like AridSpy.

Source link