Malicious Android apps have been leveraged by suspected Hamas-linked threat operation Arid Viper — also known as APT-C-23, Grey Karkadann, Two-tailed Scorpion, Desert Falcon, and Mantis — to facilitate the deployment of the AridSpy spyware as part of five mobile espionage campaigns, three of which remain active, The Hacker News reports.
Intrusions involved the utilization of fraudulent sites distributing trojanized versions of the NortirChat, LapizaChat, and ReblyChat messaging apps, a malicious version of the Palestinian Civil Registry app, and a fake job opportunity app to spread AridSpy, which deploys a first-stage payload upon execution and operates even after the deletion of the malicious apps, according to a report from ESET.
Initial malware injection is then followed by the distribution of the next-stage payload, which enables extensive data exfiltration and self-deactivation, said researchers, who noted that user snapshots are being captured and exfiltrated by the spyware every time targets lock or unlock their devices.
