Arid Viper Android Apps Exfiltrate Login

Arid Viper APT Group has targeted Android users in the Middle East with five campaigns since 2022. These campaigns used trojanized apps impersonating legitimate ones, such as messaging apps and a civil registry app, which were downloaded from fake websites and required enabling installation from unknown sources. 

AridSpy malware, initially single-stage, evolved into a multi-stage trojan, downloading additional payloads from a command-and-control server.

EHA

The group used the myScript.js script to connect distribution websites and identify additional campaigns.  

Infiltration overview

A new multi-stage Android spyware was discovered to target users in Palestine and Egypt, which is distributed through websites impersonating legitimate applications such as messaging apps and a Palestinian Civil Registry app. 

In order to download the spyware from their servers, the attackers used a malicious JavaScript file called myScript.js that other researchers had previously linked to the Arid Viper APT group.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

The custom code used in myScript.js helps to attribute AridSpy to Arid Viper with medium confidence. 

 JavaScript code responsible for downloading the malicious app

The attackers used social engineering to trick users into downloading malicious applications that looked like legitimate messaging apps, which were Trojanized versions of real messaging apps like StealthChat, Session, and Voxer. 

They distributed the malicious apps through dedicated websites. Clicking the download button on these websites initiated a script that retrieved the download path from the server.

The Trojanized apps contained AridSpy malware that could steal user data. 

NortirChat (left) and ReblyChat (right) distribution websites

They launched a campaign distributing malicious Android apps disguised as Palestinian Civil Registry and job opportunity apps. The Palestinian Civil Registry app impersonates a legitimate app to collect personal information. 

The job opportunity app is not a trojanized version of any legitimate app; instead, it sends requests to a malware distribution website, where both apps are advertised on Facebook.

Last modified sample update

AridSpy is a multi-stage Android spyware distributed through trojanized apps impersonating legitimate ones that checks for installed security software and avoids downloading payloads if found. 

The spyware takes pictures with the front camera, collects various device data and user activities, exfiltrates them to a C&C server, and can be remotely controlled through commands.

It also snoops on Facebook Messenger and WhatsApp communications by misusing accessibility services.

Victim’s WhatsApp communication (right) logged by AridSpy (left)

Various malware versions are found in Android apps, while increasing versions indicate active malware maintenance.

Interestingly, some trojanized apps deliver malicious functionality through a second-stage payload, even though the same functionality is already included within the app itself. 

According to ESET researchers, the behavior is likely unintended and might be leftover code from earlier versions.

Regardless, these apps can still function as spyware without the second-stage payload. The second stage payload, however, likely contains the latest malware updates. 

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free