Five distinct campaigns targeting Android users with sophisticated trojanised apps orchestrated by the notorious Arid Viper Advanced Persistent Threat (APT) group have been active since 2022, with three still ongoing. The malicious apps deploy a novel multistage Android spyware named AridSpy, designed to evade detection and exfiltrate sensitive user data, predominantly in Palestine and Egypt.
Researchers have attributed AridSpy to the Arid Viper group, APT-C-23, Desert Falcons, or Two-tailed Scorpions. Arid Viper, active since at least 2013, has a history of targeting Middle Eastern countries and using a wide range of malware across Android, iOS, and Windows platforms. The unique myScript.js file used in these campaigns links them to Arid Viper.
These five campaigns are as follows:
- NorierChat: Disguised as a messaging app, NortirChat lures users with promises of secure communication. Once installed, it deploys the first-stage AridSpy payload, setting the stage for data exfiltration.
- LapizaChat: Similar to NortirChat, LapizaChat masquerades as a legitimate messaging platform. It follows the same infection chain, with the trojanised app executing malicious scripts to download further payloads.
- ReblyChat: Another fake messaging app, ReblyChat, targets users by mimicking popular chat applications. Its primary function is to infiltrate the device and deploy AridSpy components.
- Job Opportunity App: This app attracts users seeking employment opportunities. Once installed, it behaves like a genuine job search tool while secretly downloading and executing AridSpy payloads.
- Palestinian Civil Registry App: This app is perhaps the most concerning due to its sensitive nature. Posing as a civil registry tool, it targets users seeking governmental services, making it a highly effective vector for AridSpy.
Cybersecurity experts have detailed six occurrences of AridSpy, most of which involve the malicious Palestinian Civil Registry application. The spyware targets user data, making it a potent tool for espionage and information gathering. Victims unknowingly grant the malware extensive permissions, allowing it to operate with minimal interference.
Often, genuine applications are laced with AridSpy’s malicious code, making them difficult to detect. AridSpy’s complexity lies in its multistage nature. Upon initial download, the spyware deploys a first-stage payload that fetches subsequent stages from a Command and Control (C&C) server. This stage approach enhances its ability to avoid detection by security mechanisms.
“In order to gain initial access to the device, the threat actors try to convince their potential victims to install a fake, but functional app. Once the target clicks the site’s download button, myScript.js, hosted on the same server, is executed to generate the correct download path for the malicious file,” ESET researcher Lukas Stefanko told Candid.Technology.
The infection chain begins with convincing victims to download and install a fake yet functional app. Once installed, the trojanised app executes a JavaScript file named myScript.js, which facilitates the download of the malicious payload. This script generates the correct download path for the AridSpy payload and initiates the process.
The first-stage payload, designed to appear as an update to Google Play services, is responsible for downloading the second-stage payload. If the device has security software installed, AridSpy refrains from downloading further payloads, thereby reducing the risk of detection.
This payload can operate independently, ensuring that even if the initial trojanised app is removed, AridSpy remains active.
The second-stage payload, a Dalvik executable (dex), contains the core espionage functionalities. It monitors device activity, takes photos using the front or rear camera upon specific triggers, and exfiltrates data to a hardcoded C&C server. The spyware collects extensive user data, including location, contact lists, call logs, text messages, and even WhatsApp databases.
“It can collect the device location; contact lists; call logs; text messages; thumbnails of recorded videos; recorded phone calls; recorded surrounding audio; malware-taken photos; WhatsApp databases that contain exchanged messages and user contacts; bookmarks and search history from the default browser and Chrome, Samsung browser, and Firefox apps if installed; files from external storage; Facebook Messenger and WhatsApp communication; and all received notifications, among others,” warned Stefanko.
Researchers have advised users to download apps from trusted sources like Google Play and avoid installing apps from third-party websites. Regular OS updates and the use of reputable third-party security software can also help in mitigating such threats.
In the News: PS5 improves Discord integration with easier access