Arid Viper's AridSpy malware targets Android users in Palestine & Egypt. This multistage attack steals data like contacts & messages. Learn how to protect yourself!

Continue reading
Arid Viper, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, has been an active cyberespionage group since at least 2013. This group, primarily targeting Middle Eastern countries, has recently intensified its efforts in mobile espionage, particularly against Android users in Egypt and Palestine.
SecureBlink threat researchers have thoroughly analyzed five ongoing campaigns employing a multistage Android spyware called AridSpy. This detailed analysis aims to dissect the technical nuances, methodologies, and implications of these campaigns.
The five identified campaigns primarily distribute AridSpy via dedicated websites impersonating legitimate applications. These include various messaging apps, a job opportunity app, and a Palestinian Civil Registry app. SecureBlink's telemetry detected six occurrences of AridSpy in Palestine and Egypt, indicating targeted espionage operations.
AridSpy is distributed through fake, but seemingly functional, Android applications. Victims are lured into downloading these apps from third-party websites, as these apps are not available on the Google Play Store. The distribution websites identified include:
Once a victim downloads the trojanized app, a JavaScript file named `myScript.js`, hosted on the same server, is executed. This script generates the correct download path for the malicious AridSpy payload. The script performs an AJAX request to `api.php` on the server, returning a specific file directory and name.
The application installs as a legitimate app but secretly incorporates the first stage of AridSpy. The malware's first stage focuses on avoiding detection by security software and establishing initial communication with the Command & Control (C&C) server.
Unlike its earlier single-stage version, AridSpy now operates as a multistage trojan. The initial app acts as a conduit, downloading and installing additional payloads from the C&C server. This approach helps in evading detection and ensures persistence.
The first-stage payload is an AES-encrypted file downloaded from a hardcoded URL. This payload decrypts itself using a hardcoded key and requests the victim to install it manually. It masquerades as a legitimate Google Play services update. Once installed, it operates independently of the initial app.
Named `prefLog.dex`, the second-stage payload contains the main espionage functionalities. It is dynamically loaded and executed by the first-stage payload. This payload establishes a persistent connection with the C&C server, ready to receive commands and exfiltrate data.
Functional Analysis
The primary goal of AridSpy is to exfiltrate sensitive user data. The malware is capable of:
AridSpy employs various methods to avoid detection during data exfiltration. For instance, it only captures images when the device screen is turned on or off, ensuring the battery level is above 15% and a minimum of 40 minutes has passed since the last capture.
AridSpy communicates with its C&C server using Firebase for receiving commands and a separate hardcoded domain for data exfiltration. The C&C communication is designed to blend with normal network traffic to evade detection. For instance, it can deactivate itself by changing the exfiltration server to a benign-looking domain, making it less likely to be flagged by network security systems.
AridSpy uses trivial string obfuscation techniques where each string is converted from a character array. This method is consistent across all stages of the malware, complicating the reverse engineering process for security analysts.
Attribution and Indicators of Compromise (IoCs)
SecureBlink also agrees to be attributed as AridSpy to the Arid Viper group with medium confidence. Key indicators include:

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation