ESET cybersecurity researchers have uncovered a new Android mobile malware campaign orchestrated by the Arid Viper APT group. This campaign specifically targets Android users in Egypt and Palestine with trojanized apps that distribute the espionage-focused AridSpy trojan.
The Arid Viper APT group, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, has been actively engaged in cyberespionage since 2013. Their primary targets are countries in the Middle East, and they possess a wide range of malware designed for Android, iOS, and Windows platforms. In a notable incident in February 2013, the group targeted Israelis with malware embedded in an X-rated video. More recently, in December 2020, they resurfaced with a new malware variant called PyMICROPSIA malware, continuing their focus on Israeli targets.
According to ESET’s Lukas Stefanko, the latest campaign has revealed around five espionage campaigns, with three still ongoing. These campaigns utilize malicious apps posing as messaging apps, job opportunity applications, and the Palestinian Civil Registry app. Examples of these trojanized apps include NortirChat, LapizaChat, ReblyChat, تطبيق المشغل (an Arabic job opportunity app), and السجل المدني الفلسطيني (Palestinian Civil Registry).
The distribution of these malicious apps occurs through dedicated third-party websites rather than Google, requiring victims to enable a non-default Android option to install them. ESET’s telemetry has detected six instances of AridSpy originating from Palestine and Egypt, predominantly associated with the malicious Palestinian Civil Registry app. In Egypt, a similar first-stage payload was identified under a different package name, indicating a widespread distribution strategy.
Based on their research, ESET suspects the AridSpy trojan to be the primary malware used in this campaign. The group’s historical targeting of organizations in Palestine and Egypt, coupled with the presence of a malicious JavaScript file called “myScript.js,” previously linked to Arid Viper by 360 Beacon Labs and FOFA, further strengthens this assumption. Notably, the same JavaScript code was reportedly used in a campaign targeting the FIFA World Cup in Qatar with an earlier version of AridSpy in 2022.
AridSpy trojan poses significant risks to users, as it can keylog visible and editable text in applications, specifically targeting Facebook Messenger and WhatsApp communications. By leveraging built-in accessibility services, the malware records visible text and uploads it to a C&C server, exposing users to identity theft, financial fraud, and blackmail.
To mitigate the risks associated with such malware campaigns, users are advised to exercise caution when downloading apps from untrusted sources and to prioritize official app stores like Google Play Store. Additionally, reading app reviews, checking ratings, and scrutinizing app permissions can enhance the overall security of a user’s browsing experience.