Threat Research

Arid Viper poisons Android apps with AridSpy

ESET-welivesecurity

ESET researchers uncovered five Android campaigns distributing AridSpy, a multistage spyware likely run by the Arid Viper APT group, with several campaigns still active as of publication. AridSpy downloads first- and second-stage payloads from a C2 server and exfiltrates extensive user data while evading detection through a multi-stage architecture and obfuscated code.
#AridSpy #AridViper #PalestinianCivilRegistry #LapizaChat #NortirChat #ReblyChat

Keypoints

  • Five Arid Viper campaigns targeted Android users with trojanized apps delivering AridSpy spyware.
  • AridSpy is a three-stage Android malware that downloads first- and second-stage payloads from a C&C server.
  • Campaigns impersonate legitimate apps (messaging apps) and include a Palestinian Civil Registry app and a job-opportunity app.
  • Attribution to Arid Viper is with medium confidence, supported by shared JavaScript tooling (myScript.js) and campaign links.
  • Victimology centers on Palestine and Egypt, with several campaigns still active at the time of the write-up.
  • Malware architecture includes trojanized apps, hidden loading of payloads, and data exfiltration via Firebase and a separate C&C domain.
  • AridSpy features extensive data theft capabilities (contacts, messages, media, device data) and uses accessibility services for targeted exfiltration.

MITRE Techniques

  • [T1660] Phishing – AridSpy has been distributed using dedicated websites impersonating legitimate services. ‘AridSpy has been distributed using dedicated websites impersonating legitimate services.’
  • [T1398] Boot or Logon Initialization Scripts – AridSpy receives the BOOT_COMPLETED broadcast intent to activate at device startup. ‘AridSpy receives the broadcast intent to activate at device startup.’
  • [T1624.001] Event Triggered Execution: Broadcast Receivers – AridSpy registers to receive multiple broadcast intents to activate itself. ‘AridSpy registers to receive the NEW_OUTGOING_CALL, PHONE_STATE, SMS_RECEIVED, SMS_DELIVER, BOOT_COMPLETED, USER_PRESENT, CONNECTIVITY_CHANGE, ACTION_POWER_CONNECTED, ACTION_POWER_DISCONNECTED, PACKAGE_ADDED, and PACKAGE_CHANGE broadcast intents to activate itself.’
  • [T1407] Download New Code at Runtime – AridSpy can download first- and second-stage payloads. ‘AridSpy can download first- and second-stage payloads.’
  • [T1406] Obfuscated Files or Information – AridSpy decrypts a downloaded payload and uses obfuscated strings. ‘AridSpy decrypts a downloaded payload with obfuscated code and strings.’
  • [T1418] Software Discovery – AridSpy can identify installed apps (e.g., Facebook Messenger and WhatsApp). ‘AridSpy can identify whether Facebook Messenger and WhatsApp apps are installed on a device.’
  • [T1418.001] Security Software Discovery – AridSpy can identify security software installed from a predefined list. ‘AridSpy can identify, from a predefined list, what security software is installed.’
  • [T1420] File and Directory Discovery – AridSpy can list files and directories on external storage. ‘list files and directories on external storage.’
  • [T1426] System Information Discovery – AridSpy extracts device model, device ID, and common system information. ‘AridSpy can extract information about the device including device model, device ID, and common system information.’
  • [T1422] System Network Configuration Discovery – AridSpy extracts the IMEI number. ‘AridSpy extracts the IMEI number.’
  • [T1512] Video Capture – AridSpy can take photos. ‘Video Capture’ (photos).’
  • [T1532] Archive Collected Data – AridSpy encrypts data before exfiltration. ‘encrypts data before extraction.’
  • [T1533] Data from Local System – AridSpy exfiltrates files from the device. ‘Data from Local System: exfiltrate files from a device.’
  • [T1417.001] Input Capture: Keylogging – AridSpy logs text visible and targets Messenger/WhatsApp chats. ‘Keylogging all text visible and specifically log Facebook Messenger and WhatsApp chat communication.’
  • [T1517] Access Notifications – AridSpy collects messages from various apps. ‘Access Notifications: collect messages from various apps.’
  • [T1429] Audio Capture – AridSpy records audio via the microphone. ‘Audio Capture’
  • [T1414] Clipboard Data – AridSpy captures clipboard contents. ‘Clipboard Data’
  • [T1430] Location Tracking – AridSpy tracks device location. ‘Location Tracking’
  • [T1636.002] Protected User Data: Call Logs – AridSpy can extract call logs. ‘Protected User Data: Call Logs’
  • [T1636.003] Protected User Data: Contact List – AridSpy can extract contacts. ‘Protected User Data: Contact List’
  • [T1636.004] Protected User Data: SMS Messages – AridSpy can extract SMS messages. ‘Protected User Data: SMS Messages’
  • [T1646] Exfiltration Over C2 Channel – Exfiltrates data using HTTPS. ‘Exfiltration Over C2 Channel’ (HTTPS).
  • [T1481.003] Web Service: One-Way Communication – C2 via Google’s Firebase server. ‘Web Service: One-Way Communication: AridSpy uses Google’s Firebase server as a C&C.’

Indicators of Compromise

  • [Domain] Distribution and C2 domains – lapizachat.com, nortirchats.com, reblychat.com, palcivilreg.com, almoshell.website, gameservicesplay.com, crashstoreplayer.website, orientflags.com, elsilvercloud.com, lapizachat.com
  • [IP] C2 and distribution IPs – 23.106.223.54 (gameservicesplay.com), 23.106.223.135 (crashstoreplayer.website), 23.254.130.97 (reblychat.com)
  • [Domain] PalCivilReg site linking to download – palcivilreg.com (Palestinian Civil Registry campaign)
  • [File name] Trojanized apps – LapizaChat.apk, NortirChat_old.apk, NortirChat.apk, reblychat.apk, com.rebelvox.rebly.apk
  • [File] Second-stage payload – prefLog.dex, etc. (second-stage Dex payload)
  • [Domain] Firebase C2 endpoints – proj-95dae.firebaseio.com, several firebase endpoints listed (Firebase-based C2)

Read more: https://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint