Arid Viper poisons Android apps with AridSpy

June 14, 2024, 8:34 a.m.

Description

ESET researchers identified five campaigns targeting Android users with trojanized apps that deploy multistage Android spyware called AridSpy. This malware, attributed with medium confidence to the Arid Viper APT group, focuses on user data espionage. AridSpy downloads additional payloads from its command-and-control server to avoid detection and exfiltrates sensitive information like contacts, messages, locations, and media files.

External References

https://www.welivesecurity.com/en/eset-research/arid-viper-poisons-android-apps-with-aridspy/
https://otx.alienvault.com/pulse/666bfe8bc4fa436ee214fb6f
Tags
espionage
android
exfiltration
spyware
2024-06-14
aridspy

Date

  • Created: June 14, 2024, 8:25 a.m.
  • Published: June 14, 2024, 8:25 a.m.
  • Modified: June 14, 2024, 8:34 a.m.

Indicators

  • f4ddfd426440829bcbbbe789cb0c18fa3a23798eb5643f1c88b7986390b3d648
  • d6140ef329f2a8f141a05055b1d583a40dc9f5b26b00c63c72c7ebd82fa3c7ec
  • a4e74f74e675a08fdf8e0b55d5da59af8f1c67a2820c97ba6c6790b29589663d
  • 19df327e7c0ffe8bd883f044c3906424cefe893d50a0d5386e8445668d2dd1e4
  • 0cb41557841ff6f314c398250a165706e0b18f93674a7c12f4489018a1661673
  • crashstoreplayer.website
  • almoshell.website
  • 68.65.122.94
  • 68.65.121.90
  • 68.65.121.120
  • 66.29.141.173
  • 64.44.102.198
  • 23.106.223.54
  • 23.106.223.135
  • 199.192.25.241
  • 198.187.31.161
  • 162.0.224.52
  • 45.87.81.169
  • 23.254.130.97
  • www.palcivilreg.com
  • www.lapizachat.com
  • zezsoft.wuaze.com
  • voevanil.com
  • ultraversion.com
  • renatchat.com
  • reblychat.com
  • pariberychat.com
  • palcivilreg.com
  • orientflags.com
  • nortirchats.com
  • lapizachat.com
  • gameservicesplay.com
  • elsilvercloud.com
  • clemochat.com
  • androidd.com
  • analyticsandroid.com
  • alwaysgoodidea.com
Download all indicators here!

Attack Patterns

  • AridSpy
  • Arid Viper

Additional Informations

  • Palestine
  • Egypt