AridSpy malware targeting Egypt and Palestinian territories in new espionage campaigns

Researchers have discovered several espionage campaigns, some of them ongoing, targeting Android users in Egypt and the Palestinian territories with spyware.

Named AridSpy, the malware is distributed through dedicated websites impersonating various messaging apps, including NortirChat, LapizaChat, ReblyChat, a job opportunity app, and a Palestinian civil registry app.

The spyware is likely operated by a suspected Hamas-affiliated cyberespionage group called Arid Viper, also known as Desert Falcons, according to new research by cybersecurity firm ESET. The group has been active for more than a decade and has previously targeted countries in the Middle East.

In a report on Thursday, researchers identified five Arid Viper campaigns targeting Android users, three of which are still active. The hackers delivered malware via dedicated websites where victims were tricked into downloading and manually installing an Android app infected with AridSpy.

These malicious apps have never been offered through Google Play and are downloaded from third-party sites. To install them, potential victims must enable the non-default Android option allowing them to upload apps from unknown sources, researchers said.

AridSpy was discovered in 2021 and was previously used to target Arabic users attending the FIFA World Cup in Qatar. At that time, researchers discovered over 1,000 infected devices, mainly in Israel and Palestine.

In new campaigns described by ESET, AridSpy was transformed into a multi-stage trojan that can download additional payloads from the hackers' server onto victims’ devices.

To gain initial access, the hackers convinced them to install a fake but functional app from the malicious website. All analyzed Android apps from these campaigns contain similar malicious code and download first- and second-stage malware payloads.

When payloads are downloaded and executed, AridSpy monitors the device screen's status. If the victim locks or unlocks the phone, it takes a picture using the front camera and sends it to the hackers' server, provided the most recent picture was taken over 40 minutes ago and the battery level is above 15%.

The spyware can also gather various types of victim data, including device location, contact list, call logs, text messages, WhatsApp databases containing exchanged messages and user contacts, browser search history, and all received notifications, including from Facebook Messenger.

It is unclear how many users were targeted by AridSpy in the latest campaign and how the hackers used the data they obtained.