Arid Viper poisons Android apps with AridSpy

ESET researchers have uncovered five targeted campaigns against Android users that distribute a sophisticated spyware dubbed AridSpy. These operations, attributed with medium confidence to the Arid Viper APT group, began in 2022, with three still active at the time of the report. The malware is designed to conduct data espionage, utilizing a multi-stage approach where the initial trojanized apps download subsequent payloads from command and control (C&C) servers to evade detection. AridSpy is spread through websites masquerading as messaging applications, a Palestinian Civil Registry app, and a job opportunity app, with developers embedding malicious code into these trojanized versions.

The campaigns identified by ESET involve downloading malware from intentionally misleading websites. The malicious apps often mimic legitimate messaging applications while containing benevolent components and additional malicious functionalities. Previous research had noted the initial stage of AridSpy in 2021, which included purely malicious code implementation. However, ESET’s report provides a comprehensive analysis of the malware’s later stages and their operational techniques, highlighting the evolution of AridSpy into a more complex multi-stage threat.

Initial identification of AridSpy’s distribution channels dates back to campaigns like Kora442, which sought to exploit high-profile events, such as the FIFA World Cup. The malware has been found in telemetry collected from Palestine and Egypt. Three of the five campaigns remain operational, with apps including NortirChat, LapizaChat, and the Palestinian Civil Registry app, all requiring users to enable installation from external sources for malicious exploitation.

ESET documented six occurrences of AridSpy through meticulous monitoring, pinpointing its impacts predominantly in Palestine, with one detection in Egypt. This malware is linked with the Arid Viper group, which has established a historical framework of cyberespionage in the Middle East utilizing varied tactics and malicious software across platforms. The Arid Viper group has utilized distinctive JavaScript code, notably myScript.js, across multiple distribution sites, linking the current operations to past campaigns.

The investigative process confirmed a pattern of employing JavaScript to facilitate the download process, indicating a specialized and potentially reusable framework for malware distribution. The malware primarily targets the security of devices, scoping out installed protective applications and avoiding penetration if these are detected, articulating a deceptive layering to further obfuscate its nefarious agenda.

A thorough technical decryption of AridSpy describes its exploitation of sensitive user data through an increasingly interactive payload mechanism. The first-stage payload masquerades as a benign application update, downloading additional functionalities that enable the spyware to monitor user activities and collect data. The second-stage payload consolidates these spyware capabilities, with a capability to extract vast amounts of information ranging from location data and contact logs to intercepted communications from popular applications like WhatsApp and Facebook Messenger.

AridSpy embodies extensive espionage reach, capable of keylogging user activities and gaining vast intelligence from compromised devices. Metadata about user interactions allows Arid Viper operators to exfiltrate significant personal data products in real-time, offering a comprehensive breach of personal and communicated data. This sophisticated use of multiple payload stages highlights the advanced methods employed by the Arid Viper group to install, operate, and maintain its spyware effectively.

ESET’s analysis reveals that AridSpy employs an AES encryption for sensitive communications, allowing the malware to remain stealthy while executing instructions from the C&C server. With the ability to switch exfiltration methods to avoid detection, the malware can install redundant functions that may augment its intelligence-gathering capabilities without notifying users.

In conclusion, the Arid Viper campaigns signify a high-level of cyberespionage threat, where trojanized applications serve as an entry point for extensive data theft efforts. The report details the elaborate nature of AridSpy, which consistently evolves with newly added layers, suggesting a continued development approach within the APT group’s cyber toolkit. This growing sophistication in the architectural design of AridSpy reiterates the need for comprehensive security measures and user vigilance against such targeted threats in the digital landscape.