A suspected Arid Viper APT campaign utilizes trojanized apps to target Android users. Since 2022, at least five campaigns have delivered multistage AridSpy spyware, which retrieves payloads from a command-and-control server for enhanced evasion.
The attackers distribute the malware through websites spoofing legitimate messaging apps, a job search app, and a Palestinian Civil Registry app, which are likely legitimate applications laced with AridSpy’s malicious code.
A newly discovered three-stage Android malware named AridSpy is being distributed through fake websites impersonating legitimate applications. It is a remotely controlled Trojan (RAT) focused on data espionage and leverages trojanized versions of real apps to spread.
The malware downloads additional payloads from a command-and-control server, indicating a more sophisticated attack strategy compared to its previously documented single-stage form.
It targets users in Palestine and Egypt and is attributed with medium confidence to the Arid Viper APT group, a cyberespionage group active since at least 2013.
Technical Analysis of the AridSpy:
The attackers used social engineering to trick victims into downloading malicious applications that appeared to be legitimate messaging apps.
The apps were hosted on websites that mimicked real messaging apps and, when downloaded, installed Trojanized versions of legitimate messaging apps, containing AridSpy malware that gave attackers remote access to the victim’s device.
This campaign targets Android users and distributes a multi-stage trojan called AridSpy, which is disguised as legitimate messaging apps (NortirChat, LapizaChat, ReblyChat) or useful utilities (Palestinian Civil Registry, job opportunity app).
The malicious code is hidden within the downloaded app and communicates with the C&C server to check for the presence of antivirus software. If no antivirus software is found, the trojan downloads an initial payload disguised as a Google Play Services update, which then downloads additional payloads from the C&C server.
Request to potential victim to install first-stage payload: left to right; LapizaChat, ReblyChat, and Palestinian Civil Registry
AridSpy is multi-stage malware that steals user data on Android devices, and injects a first-stage payload into a trojanized app, which then downloads a second-stage payload (prefLog.dex) and executes it.
The second-stage payload steals various user data, including location, contacts, call logs, text messages, photos, videos, and files. It can also record surrounding audio and keystrokes.
According to ESET researchers, the stolen data is uploaded to a C&C server via a Firebase C&C server, while the malware can also receive commands from the C&C server to control its behavior.
Also Read: