Aridspy: New espionage threat targets popular Android apps abroad

Security researchers from Eset are drawing attention to the accelerating campaigns of fraudsters who infect Android applications. The threat is the spy payload AridSpy, which currently targets popular programs abroad—in Palestine and Egypt.

Although there is no direct threat to users in Canada, we have often witnessed the dynamic development of such attacks, which, after "proving themselves" in one market, are quickly prepared to attack popular applications in other countries to increase the pool of potential victims. As reported by Eset, the software reaches Android phones in several stages, starting with an infected application.

The application, downloaded and installed by the user, fetches the first payload, which then can download another data package. Only then is the entire software chain ready, which exchanges data with the server and allows attackers to spy on the user who has fallen victim to the attack. As Eset reports, five campaigns have been identified so far, attributed to the Arid Viper group, also known (among others) as APT-C-23, conducted in this way.

Ultimately, AridSpy effectively launched on the victim's smartphone, which can read a range of information, allowing for detailed surveillance of the victim. It is possible to read the device's location, contact list, call history, SMS messages, photos from memory, clipboard contents, or notifications. Additional capabilities come into play if the victim's device was previously rooted.

Eset points out that AridSpy reaches Android phones through various means, and the source of the problem is not always applications that have made it to the official Google Play store. In the cases described abroad, the spy software was distributed, among other things, through a crafted Facebook page or alternative hosting not linked to the official distribution of Android applications.