June 17, 2024 at 02:08AM
Hamas-linked APT group Arid Viper uses Android spyware AridSpy distributed through Trojanized messaging apps. The malware targets Android users in Egypt and Palestine, collecting various data and enabling audio and visual surveillance. Ongoing AridSpy espionage campaigns are active, posing a continued threat. The group is continuously updating and maintaining the spyware.
From the provided meeting notes, the following key takeaways are evident:
– Arid Viper, a Hamas-linked advanced persistent threat (APT) group, has been observed using the Android spyware AridSpy dating back to 2022.
– Researchers, primarily from ESET, have conducted a comprehensive analysis of AridSpy and its distribution methods through Trojanized messaging apps.
– AridSpy was identified as a multistage trojan that downloads additional payloads from the command-and-control server via the initial trojanized app.
– Five separate AridSpy efforts targeted Android users across Egypt and Palestine, with the spyware often concealed within seemingly legitimate applications. For instance, in Palestine, victims were targeted with a malicious app posing as the Palestinian Civil Registry, while in Egypt, the spyware was hidden in an app called LapizaChat and scam job opportunity postings, all of which were distributed from third-party sites controlled by the threat actors.
– Once second-stage data exfiltration begins, AridSpy can gather a wide range of data from infected devices, including location, contact list, call logs, text messages, photo thumbnails, clipboard data, notifications, video recording thumbnails, and has the capability to record audio, take pictures, and more.
– AridSpy was previously used in targeting the FIFA World Cup held in Qatar and other campaigns across the Middle East.
– At least three AridSpy espionage campaigns are still active and employ dedicated websites to distribute malicious apps impersonating various legitimate applications and services such as NortirChat, LapizaChat, ReblyChat, job postings, and the Palestinian Civil Registry.
– It is likely that Arid Viper is continuously maintaining and improving the AridSpy code, as updated payloads and malicious code changes are being pushed to ongoing campaigns, indicating ongoing development and potential updates or changes in functionality.
These takeaways provide a comprehensive understanding of the activities and capabilities of AridSpy, as well as the ongoing threats posed by Arid Viper.