Arid Viper APT Group Targets Android Users in the Middle East
Arid Viper APT Group has been actively targeting Android users in the Middle East through five campaigns since 2022. These campaigns involve the use of trojanized apps that impersonate legitimate ones, such as messaging apps and a civil registry app. These malicious apps are downloaded from fake websites and require users to enable installation from unknown sources.
The AridSpy malware, initially single-stage, has evolved into a multi-stage trojan that downloads additional payloads from a command-and-control server. The group utilizes the myScript.js script to connect distribution websites and identify additional campaigns.
A new multi-stage Android spyware has been discovered targeting users in Palestine and Egypt. This spyware is distributed through websites that impersonate legitimate applications, such as messaging apps and a Palestinian Civil Registry app. The attackers use a malicious JavaScript file called myScript.js to download the spyware from their servers, a file previously linked to the Arid Viper APT group.
The attackers employ social engineering tactics to trick users into downloading Trojanized versions of real messaging apps like StealthChat, Session, and Voxer. These malicious apps contain the AridSpy malware, capable of stealing user data.
In a recent campaign, the attackers distributed malicious Android apps disguised as Palestinian Civil Registry and job opportunity apps. The Palestinian Civil Registry app collects personal information, while the job opportunity app sends requests to a malware distribution website.
AridSpy is a multi-stage Android spyware that checks for installed security software, avoids downloading payloads if found, takes pictures with the front camera, collects device data and user activities, and exfiltrates them to a C&C server. It can also be remotely controlled through commands and snoops on Facebook Messenger and WhatsApp communications.
Various malware versions are found in Android apps, with some delivering malicious functionality through a second-stage payload. This behavior, according to ESET researchers, is likely unintended and may be leftover code from earlier versions. Despite this, the apps can still function as spyware without the second-stage payload, which likely contains the latest malware updates.
