The cyber threat group known as Arid Viper, also referred to as APT-C-23 or Desert Falcon, has emerged as the perpetrator behind a recent Android spyware campaign aimed at Arabic-speaking individuals. This sophisticated operation involves the distribution of a fake dating application that is designed to infiltrate users’ devices, extracting sensitive data in the process.
According to a report from Cisco Talos, Arid Viper employs a range of malware functionalities allowing the operators to covertly gather confidential information from compromised devices and execute additional malicious software. Active since at least 2017, this group has connections to Hamas, the governing Islamist militant organization in the Gaza Strip. However, despite their activity, Cisco Talos found no direct links between these cyber operations and the ongoing Israel-Hamas conflict.
The malware campaign utilizes techniques reminiscent of previous tactics used by Arid Viper, which include exploiting seemingly harmless mobile applications to establish a ‘honey trap.’ Notably, the recently discovered Android malware shares code with a legitimate dating app called Skipped, suggesting that the attackers either collaborated with the app’s developers or reverse-engineered its features for malicious purposes.
The modus operandi of this operation involves luring potential victims through a video tutorial that appears to demonstrate the purported dating application. A clickable link in the video’s description leads users to a domain controlled by the attackers that delivers the malicious APK file. Once installed, the malware conceals itself, disabling critical system notifications to evade detection and maintenance of a low profile on the infected devices, especially on those running Samsung or any Android devices with package names that include the term “security.”
Noteworthy permissions requested by the malware include audio and video recording capabilities, access to contacts and call logs, SMS interception, alteration of Wi-Fi settings, and background app manipulation. Such broad access allows the malware to gather detailed system information, update command-and-control domains from the attacker, and download additional harmful software disguised as reputable applications such as Facebook Messenger, Instagram, and WhatsApp.
Recent investigations by Recorded Future have highlighted possible connections between Arid Viper and Hamas, uncovering infrastructure overlaps involving an Android application named Al Qassam that has been circulated in channels associated with the militant group’s military wing. This overlap hints at a precarious slip in operational security for the group and suggests that shared resources among Hamas affiliates may facilitate these malicious activities.
Using the MITRE ATT&CK framework, this cyber campaign exemplifies initial access tactics, with the fake application serving as an entry point for malware installation. The persistence of this threat is evidenced by the malware’s stealthy operation and capabilities to escalate privileges on targeted devices, ensuring ongoing access to sensitive user information. Business owners must remain vigilant against such threats, as they pose significant risks to both personal data and broader cybersecurity integrity.
As the landscape of cyber threats continues to evolve, understanding the techniques and strategies employed by groups like Arid Viper becomes crucial in developing defensive measures and maintaining robust cybersecurity frameworks.
