AridSpy Mobile Malware
The cyber threat group known as AridViper is behind a series of mobile espionage operations employing trojanized Android applications to distribute a spyware variant named AridSpy. These threatening aplications are hosted on deceptive websites posing as legitimate messaging apps, a job search platform, and even a Palestinian Civil Registry application. In many cases, legitimate applications are compromised by integrating AridSpy's bad code.
Table of Contents
AridViper Has a Long History of Mobile Malware Threats
Arid Viper, also known as APT-C-23, Desert Falcon, Grey Karkadann, Mantis, and Two-tailed Scorpion, is believed to be associated with Hamas. Since its emergence in 2017, this group has consistently utilized mobile malware for its operations. Historically, Arid Viper has targeted military personnel, journalists, and dissidents in the Middle East. The group persists active and continues to pose a threat in the mobile malware domain.
The more recent activities have been ongoing since 2022, comprising up to five distinct campaigns. Currently, three of these campaigns remain active.
AridSpy is Spread via Fake Mobile Applications Created by Threat Actors
Analysis of the latest iteration of AridSpy reveals its evolution into a multi-stage Trojan capable of downloading additional payloads from a Command-and-Control (C2) server through the initial trojanized application. The attack primarily targets users in Palestine and Egypt, utilizing fake websites as distribution points for the compromised applications.
These deceptive applications often pose as secure messaging services such as LapizaChat, NortirChat, and ReblyChat, mimicking legitimate platforms like StealthChat, Session and the Voxer Walkie Talkie Messenger. Additionally, another app masquerades as the Palestinian Civil Registry.
One of these websites, palcivilreg.com, registered on May 30, 2023, is promoted through a dedicated Facebook page with 179 followers. The app offered on this website is modeled after a similarly named app found on the Google Play Store.
Although ththreatening application on palcivilreg.com is not a direct copy of the Google Play Store version, it utilizes the legitimate app's server to gather data. This indicates that Arid Viper drew inspiration from the legitimate app's functionality but developed its own client layer to interact with the genuine server.
Attack Chain of the AridSpy Mobile Malware
Upon installation, the malicious application scans for security software on the device based on a predefined list. If none are found, it proceeds to download a first-stage payload, which masquerades as an update for Google Play Services.
This payload operates independently, not requiring the presence of the trojanized application on the same device. Therefore, uninstalling the initial trojanized application, such as LapizaChat, does not affect AridSpy. The primary function of the first-stage payload is to download the next-stage component, which contains harmful functionalities and communicates with a Firebase domain for Command-and-Control (C2) purposes.
The malware is equipped with various commands to extract data from the infected devices and can deactivate itself or initiate data exfiltration when connected to a mobile data plan. Data extraction occurs either through specific commands or triggered events.
For instance, when the victim locks or unlocks the phone, AridSpy captures a picture using the front camera and sends it to the exfiltration C&C server. However, images are only captured if it has been more than 40 minutes since the last picture was taken, and the battery level is above 15%.
