AridSpy | |
Type of Malware | Spyware |
Country of Origin | Palestine |
Date of initial activity | 2021 |
Targeted Countries | Egypt, Palestine |
Associated Groups | AridViper |
Motivation | Cyberwarfare |
Attack Vectors | Third Party Software |
Targeted Systems | Android |
Type of information Stolen | Login Credentials |
Overview
AridSpy represents a sophisticated new threat in the realm of Android malware, attributed to the Arid Viper APT group. Unveiled by ESET Research on June 13, 2024, AridSpy exemplifies the group’s ongoing efforts to infiltrate and compromise mobile devices in the Middle East. The malware is characterized by its multistage infection process, which involves embedding malicious code into seemingly legitimate applications. These trojanized apps are distributed through dedicated websites, preying on users’ trust in legitimate software to execute its payload.
The distribution strategy of AridSpy is particularly insidious. It involves using a variety of fake applications, including messaging apps, job opportunity platforms, and even a Palestinian Civil Registry app. These apps, while appearing functional and safe, are actually designed to execute AridSpy’s malicious code. Once installed, AridSpy establishes a persistent presence on the victim’s device, employing advanced techniques to avoid detection and gather sensitive data. This data can include personal messages, call logs, location information, and multimedia content, all of which are exfiltrated to the attackers’ Command & Control servers.
Targets
Individuals.
How they operate
Arid Viper’s operations typically commence with Initial Access through spear-phishing campaigns (T1566), wherein the group lures victims into downloading and installing malicious applications. These trojanized apps, masquerading as legitimate software, serve as the entry point for the malware. Once the malicious app is installed, AridSpy executes its payload using Malicious Mobile Code (T1203), initiating its sophisticated espionage functions.
Persistence is a critical element of Arid Viper’s strategy. Although the specific techniques can vary based on the operating system, the group employs methods akin to Modify Registry (T1547) to ensure their malware remains active on the compromised devices. This is complemented by Exploitation of Vulnerabilities (T1203) to gain elevated privileges, enabling the malware to perform more comprehensive data collection.
The malware’s ability to evade detection is marked by its use of Code Obfuscation (T1027) and Masquerading (T1036). AridSpy obfuscates its code to avoid detection by security systems, while its distribution through fake applications camouflages its true intent. Once installed, AridSpy collects sensitive data such as call logs, text messages, and multimedia content, leveraging techniques like Data from Local System (T1005) and Input Capture (T1056) to gather comprehensive information.
For Exfiltration (T1041), AridSpy transmits the collected data to Arid Viper’s Command and Control (C&C) servers over encrypted channels, ensuring that the stolen information is securely delivered to the attackers. This data exfiltration process underscores the group’s capability to gather and utilize vast amounts of sensitive information for espionage purposes.
MITRE Tactics and Techniques
Initial Access
Spear Phishing (T1566): Arid Viper often uses phishing tactics to lure victims into installing malicious apps or visiting malicious websites.
Execution
Malicious Mobile Code (T1203): The malware, AridSpy, is executed on Android devices through trojanized applications, leveraging the user’s trust in legitimate apps.
Persistence
Modify Registry (T1547): Although specific to Android, similar persistence techniques may be adapted, such as modifying app settings to ensure continued execution.
Privilege Escalation
Exploitation of Vulnerabilities (T1203): AridSpy may exploit vulnerabilities in mobile applications or the Android OS to gain higher levels of access.
Defense Evasion
Code Obfuscation (T1027): AridSpy uses techniques to obfuscate its code and avoid detection by security software.
Masquerading (T1036): The malware is distributed through apps that masquerade as legitimate software, such as messaging apps or job application platforms.
Credential Access
Credential Dumping (T1003): AridSpy collects sensitive data, including credentials and messaging content, which can be used for further attacks or espionage.
Discovery
System Information Discovery (T1082): The malware gathers detailed information about the device, including installed applications and system configuration.
Collection
Data from Local System (T1005): AridSpy exfiltrates data from the device, including call logs, text messages, and multimedia content.
Input Capture (T1056): The spyware can capture keystrokes and other input data.
Exfiltration
Exfiltration Over Command and Control Channel (T1041): Data collected by AridSpy is sent to the attackers’ Command & Control (C&C) servers.
Impact
Data Manipulation (T1565): While primarily focused on data collection, the manipulation of collected data can be part of broader espionage activities.
References
