The threat actor known as Arid Viper is suspected of being part of a mobile espionage campaign that spreads a spyware called AridSpy through trojanized Android applications.
In a report released today, ESET researcher Lukáš Štefanko stated: “The malware is distributed via dedicated websites that pose as various messaging apps, job opportunity apps, and Palestinian civil registration apps. Typically, these apps are trojanized by adding malicious AridSpy code.”
This campaign has reportedly been ongoing since 2022, with up to five separate instances, and previous variants of AridSpy have been documented by Zimperium and 360 Beacon Labs. Three out of these five campaigns remain active.
ESET’s analysis of the latest version of AridSpy reveals that it has evolved into a multi-stage trojan capable of downloading additional payloads from a command and control (C2) server via the initial trojanized application.
The attack chain primarily targets users in Palestine and Egypt through fake websites that act as distribution points for the decoy applications.
Some of these fake but fully functional apps claim to be secure messaging services, such as LapizaChat, NortirChat, and ReblyChat, each based on legitimate apps like StealthChat, Session, and Voxer Walkie Talkie Messenger.
ESET also discovered that AridSpy is distributed under the guise of job opportunity apps via a website registered in August 2023 (“almoshell[.]website”). Notably, this app is not based on any legitimate application.
Upon installation, the malicious app checks for the presence of security software based on a hardcoded list and proceeds to download the first-stage payload only if no security software is detected on the device. This payload masquerades as a Google Play Services update.
“The payload can operate independently without the trojanized app being installed on the same device,” Štefanko explained. “This means that if the victim uninstalls the initial trojanized app, such as LapizaChat, AridSpy remains unaffected.”
The primary role of the first stage is to download the next stage component, which contains malicious functionalities and uses Firebase domains for C2 purposes.
The malware supports various commands to extract data from the device and can even deactivate itself or perform data exfiltration when using a mobile data plan. Data exfiltration is initiated through commands or by triggering specific predefined events.
“If the victim locks or unlocks their phone, AridSpy takes a photo using the front camera and sends it to the infiltration C&C server,” Štefanko said. “The photo is only taken if more than 40 minutes have passed since the last photo and the battery level is above 15%.”
By understanding the operations and distribution methods of AridSpy, users and security professionals can better protect against this sophisticated mobile spyware.
