Recent findings from ESET, a Slovakian cybersecurity firm, reveal that Arabic-speaking users have become the focus of a new Android spyware known as Asin. The malware was first identified in early 2025, surfacing through a series of campaigns that cleverly utilized various websites designed to mimic legitimate services, including utilities, war-related updates, and government news sources.
Malicious Websites and Their Deceptive Nature
ESET has pinpointed several fraudulent websites associated with this spyware:
- govlens[.]net: This site impersonates a government news source and was registered on May 27, 2025.
- pdf-reader[.]help: Claiming to be a secure PDF editor, this domain was registered shortly after, on May 29, 2025.
- live-war-map[.]com: This site purports to provide updates on military incidents and was registered on January 20, 2025.
Two of these domains, govlens[.]net and live-war-map[.]com, have also been promoted through dedicated social media accounts on platforms like Facebook and Telegram:
- www.facebook[.]com/GovLens
- <a href="https://t.me/liveuamapar”>t[.]me/liveuamapar
ESET notes that each of these websites distributes a malicious application that cleverly combines legitimate functionality with covert spyware capabilities. The name of the Telegram channel appears to draw inspiration from the Live Universal Awareness Map (Liveuamap), a reputable platform known for mapping conflicts, human rights issues, natural disasters, and geopolitical events globally.
Identifying Artifacts and User Impact
Several artifacts linked to Asin have been uncovered, including:
- An upload to VirusTotal from Türkiye in October 2025.
- An APK downloaded from the domain c-pdf[.]net in December 2025 by a user on a Xiaomi Redmi Note 13 Pro device running Android 15.
- A third sample, disguised as “Syria Defense Map,” detected on a Xiaomi Redmi Note 13 Pro+ 5G device in mid-January 2026, downloaded from syriadefensemap[.]com.
It is crucial to highlight that users must manually install these applications and grant the necessary permissions for the spyware to function effectively. The specific objectives of these campaigns remain unclear, and the activity cluster has not yet been attributed to any particular group. However, given the nature of the lures employed, there is a strong suspicion that journalists and open-source intelligence (OSINT) researchers in Arabic-speaking regions may have been targeted.
ESET remarked, “Three out of the five fraudulent apps we discovered—GovLens, WarMap, and Syria Defense Map—appear primarily aimed at individuals engaged in open-source investigation. This suggests that these activities may have been, at least in part, designed to target Arabic-speaking journalists or OSINT practitioners.”
