ESET Research discovers multistage Android malware AridSpy distributed via fake apps

In a recent discovery by ESET Research, a multistage Android malware named AridSpy has been unearthed. This malware is being distributed through five dedicated websites, targeting Android users in various campaigns.

Believed to be orchestrated by the Arid Viper APT group, these campaigns have been active since 2022. The AridSpy malware operates in multiple stages, downloading payloads from its Command & Control (C&C) server to evade detection. It is disseminated through fake websites posing as legitimate messaging apps, a job opportunity app, and a Palestinian Civil Registry app. These apps have been trojanized with malicious code to infect unsuspecting users.

ESET Research identified the AridSpy Trojan operating specifically in Palestine and Egypt, focusing on espionage of user data. The Arid Viper group, also known as APT-C-23, Desert Falcons, or Two-tailed Scorpion, is known for its cyberespionage activities targeting the Middle East region.

The malicious AridSpy app is not available on Google Play and can only be downloaded from third-party sites. Users are tricked into enabling the installation of apps from unknown sources before downloading the infected apps. Once installed, AridSpy can collect various data from the victim’s device and send it to a remote server for exfiltration.

The discovery of AridSpy highlights the ongoing threats posed by cyberespionage groups targeting unsuspecting users. It serves as a reminder for users to be vigilant and cautious when downloading apps from unknown sources to protect their personal information and devices from potential cyber threats.