Infected apps successfully perform their function, providing Palestinian hackers with valuable data.
The Arid Viper hacker group, also known as APT-C-23 and Desert Falcon, is developing a new mobile espionage campaign by spreading AridSpy malware through infected Android apps.
According to ESET researchers, the malware is distributed through specialized sites that mimic various applications that have AridSpy malicious code added to them.
The malicious campaign has been running since 2022 and includes five active operations, three of which are still ongoing. The Arid Viper group itself, allegedly linked to Hamas, has been known to use mobile malware since 2017, targeting military personnel, journalists, and dissidents in the Middle East.
An analysis of the latest version of AridSpy by ESET researchers shows that the malware eventually turned into a multi-stage Trojan capable of downloading additional malicious components from the command server. The main targets of the attack are users in Palestine and Egypt who download infected apps from fake sites.
Some of these apps appear to be secure messengers, such as LapizaChat, NortirChat, and ReblyChat, which are based on the legitimate StealthChat, Session, and Voxer Walkie Talkie Messenger apps. There is also an app that simulates the Palestinian Civil Registry program.
The site "palcivilreg[.]com", registered on May 30, 2023, is advertised through a special Facebook page with 179 subscribers. The malicious app on this site is based on a legitimate Google Play app, but uses its own client to communicate with the legitimate server.
It was also discovered that AridSpy is distributed through the job search application from the site "almoshell[.]website", registered in August 2023. This application has no equivalent among legitimate programs.
After installation, the malware checks for antivirus programs and, if they are not available, loads the first stage of malicious code. This stage mimics the Google Play Services update and works independently of the original infected app.
The main task of the first stage is to download the next component, which has spyware functions and uses the Firebase domain to communicate with the command server. Malware can execute various commands to collect data from the device and deactivate itself if necessary.
If the user locks or unlocks the phone, AridSpy takes a picture from the front-facing camera and sends it to the server, provided that more than 40 minutes have passed since the last picture, and the battery level is higher than 15%.
Users should be vigilant when installing applications from unverified sources, avoid clicking on questionable links, and update the software in a timely manner. Only a comprehensive approach to cybersecurity will reduce the risk of malware infection and prevent malicious users from stealing confidential information.
The Arid Viper hacker group, also known as APT-C-23 and Desert Falcon, is developing a new mobile espionage campaign by spreading AridSpy malware through infected Android apps.
According to ESET researchers, the malware is distributed through specialized sites that mimic various applications that have AridSpy malicious code added to them.
The malicious campaign has been running since 2022 and includes five active operations, three of which are still ongoing. The Arid Viper group itself, allegedly linked to Hamas, has been known to use mobile malware since 2017, targeting military personnel, journalists, and dissidents in the Middle East.
An analysis of the latest version of AridSpy by ESET researchers shows that the malware eventually turned into a multi-stage Trojan capable of downloading additional malicious components from the command server. The main targets of the attack are users in Palestine and Egypt who download infected apps from fake sites.
Some of these apps appear to be secure messengers, such as LapizaChat, NortirChat, and ReblyChat, which are based on the legitimate StealthChat, Session, and Voxer Walkie Talkie Messenger apps. There is also an app that simulates the Palestinian Civil Registry program.
The site "palcivilreg[.]com", registered on May 30, 2023, is advertised through a special Facebook page with 179 subscribers. The malicious app on this site is based on a legitimate Google Play app, but uses its own client to communicate with the legitimate server.
It was also discovered that AridSpy is distributed through the job search application from the site "almoshell[.]website", registered in August 2023. This application has no equivalent among legitimate programs.
After installation, the malware checks for antivirus programs and, if they are not available, loads the first stage of malicious code. This stage mimics the Google Play Services update and works independently of the original infected app.
The main task of the first stage is to download the next component, which has spyware functions and uses the Firebase domain to communicate with the command server. Malware can execute various commands to collect data from the device and deactivate itself if necessary.
If the user locks or unlocks the phone, AridSpy takes a picture from the front-facing camera and sends it to the server, provided that more than 40 minutes have passed since the last picture, and the battery level is higher than 15%.
Users should be vigilant when installing applications from unverified sources, avoid clicking on questionable links, and update the software in a timely manner. Only a comprehensive approach to cybersecurity will reduce the risk of malware infection and prevent malicious users from stealing confidential information.
