Hamas Hackers Sling Stealthy Spyware Across Egypt, Palestine

Hamas-linked advanced persistent threat (APT) group Arid Viper has been observed using Android spyware AridSpy dating back to 2022. Now, for the first time, researchers have provided a full analysis of the malware's previously mysterious later stages.

It turns out AridSpy is being distributed through Trojanized messaging apps, according to researchers with ESET, which recently released a new report on AridSpy campaigns.

"New in these campaigns, AridSpy was turned into a multistage trojan, with additional payloads being downloaded from the command-and-control server by the initial, trojanized app," the report said.

The researchers analyzed five separate AridSpy efforts targeting Android users across Egypt and Palestine, according to the report. AridSpy often lurks in applications with legitimate functions, making it more difficult to detect; in this case, victims in Palestine were targeted with advertisements for a malicious app posing as the Palestinian Civil Registry, ESET said. In Egypt, the first-stage spyware was hidden in an app called LapizaChat as well as in scam job opportunity postings. The apps are available for download from third-party sites controlled by the threat actors, rather than Google Play.

Once second-stage data exfiltration begins, the analysis showed the threat group is able to collect a raft of data, including device location, contact list, call logs, text messages, photo thumbnails, clipboard data, notifications, video recording thumbnails, as well as giving the cybercriminals the ability to record audio, take pictures, and more.

Previous analysis revealed AridSpy was used in 2022 to target the FIFA World Cup held in Qatar, among other campaigns across the Middle East, the report said.

Dedicated sites are still running at least three AridSpy espionage campaigns, ESET warns.

"At the time of this publication, three out of the five discovered campaigns are still active; the campaigns used dedicated websites to distribute malicious apps impersonating NortirChat, LapizaChat, and ReblyChat, ... job postings..., and Palestinian Civil Registry apps," the report said.

Arid Viper is likely maintaining and improving the AridSpy code as time goes on, as well.

"Naturally, the second-stage payload carries the latest updates and malicious code changes, which can be pushed to other ongoing campaigns," the researchers noted. "This information suggests that AridSpy is maintained and might receive updates or functionality changes."