Thursday, 1 May 2025
30.1 C
Singapore
35.6 C
Thailand
26.4 C
Indonesia
28.8 C
Philippines

Sophisticated spyware AridSpy targets Middle East in new malware campaign

ESET reveals new malware campaigns involving AridSpy, orchestrated by Arid Viper to target Android users in the Middle East, employing sophisticated espionage tactics.

ESET Research has recently revealed the existence of a sophisticated piece of Android malware, known as AridSpy, which is being distributed through five disguised websites. This malware is linked to the well-known cyberespionage group Arid Viper, also referred to as APT-C-23, Desert Falcons, or Two-tailed Scorpion, which has a history of targeting the Middle East.

Unveiling AridSpy

AridSpy has been detected in both Palestine and Egypt and is attributed, with medium confidence, to the Arid Viper APT group. This malware takes the form of a Trojan that is controlled remotely, with capabilities that focus on the espionage of user data. It can spy on messaging apps and extract content from the device, among other functionalities. It is typically bundled into applications that offer genuine services, making it even more deceptive.

How AridSpy infiltrates and operates

The campaigns involving AridSpy began in 2022 and include the distribution of multistage Android spyware, which ESET has named AridSpy. The malware downloads first- and second-stage payloads from its Command & Control (C&C) server, helping it to avoid detection. These payloads are spread through dedicated websites that impersonate various messaging apps, a job opportunity app, and a Palestinian Civil Registry app. Often, these are existing applications that have been compromised by the addition of AridSpy’s malicious code.

“In order to gain initial access to the device, the threat actors try to convince their potential victim to install a fake, but functional, app. Once the target clicks the site’s download button, myScript.js, hosted on the same server, is executed to generate the correct download path for the malicious file,” explains ESET researcher Lukáš Å tefanko, who discovered AridSpy.

The extent of AridSpy’s espionage capabilities

AridSpy is not just sophisticated in its disguise but also in its functionality. It is designed to avoid detection by network monitoring tools and can deactivate itself based on its coded instructions. The data exfiltration process is either triggered by a command received from the Firebase C&C server or when a predefined event occurs. Such events might include changes in internet connectivity, the installation or uninstallation of an app, phone calls made or received, SMS messages sent or received, connecting or disconnecting a battery charger, or the device rebooting.

If any of these events occur, AridSpy begins to gather a wide range of victim data and uploads it to the exfiltration C&C server. This includes the device location, contact lists, call logs, text messages, thumbnails of photos and videos, recorded phone calls and surrounding audio, photos taken by the malware, WhatsApp databases containing exchanged messages and user contacts, bookmarks and search history from the default browser and Chrome, Samsung Browser, and Firefox if installed, files from external storage, and all received notifications, among others.

This ongoing investigation into AridSpy by ESET underscores the persistent threats posed by cybercriminal groups and the critical importance of cautious software installation practices, especially from non-official sources.

Hot this week

Samsung chip profits fall sharply due to US export controls and price drops

Samsung chip profits dropped 40% due to US export rules and price cuts as the company raced to catch up in AI memory production.

Verizon report reveals 80% of APAC breaches caused by system intrusions

System intrusions caused 80% of data breaches in APAC, according to Verizon’s 2025 report, with malware and ransomware threats on the rise.

M1 launches anniversary sale with zero upfront cost on new phones

M1 celebrates 28 years with a major sale offering $0 phones, low monthly plans, loyalty rewards and roaming perks until 15 June 2025.

Nintendo pop-up store and Mario Kart fun return to Jewel Changi Airport

Experience the magic of Nintendo at Jewel Changi Airport with the return of the Pop-Up Store and the exciting Mario Kart Jewel Circuit Challenge!

OVHcloud launches AI Endpoints to simplify access to open-source models

OVHcloud launches AI Endpoints to offer serverless access to over 40 open-source AI models across key global markets.

Garmin introduces Instinct 3 – Tactical Edition smartwatch in Singapore

Garmin launches the Instinct 3 – Tactical Edition in Singapore, combining durability, tactical tools, health tracking, and solar power.

Verizon report reveals 80% of APAC breaches caused by system intrusions

System intrusions caused 80% of data breaches in APAC, according to Verizon’s 2025 report, with malware and ransomware threats on the rise.

Asia Pacific’s AI progress held back by network limitations, says IDC report

APAC’s AI ambitions are limited by poor network infrastructure, with 94% of firms saying their networks can’t support large-scale AI projects.

Borderlands 4 reveals first look at new gameplay and characters

Borderlands 4 reveals extended gameplay, two new Vault Hunters, and co-op features ahead of its launch on 12 September 2025.

Related Articles

Popular Categories