The hacking group known as Arid Viper (also identified as APT-C-23, Desert Falcon, or TAG-63) is purportedly responsible for a distribution campaign involving Android spyware. This spyware specifically targets Arabic-speaking users by posing as a fake dating app, and it clandestinely gathers data from compromised devices.
According to Cisco Talos, this malware operates in a stealthy manner, surreptitiously gathering sensitive data from victims’ devices and deploying additional executable files.
Arid Viper hackers have been conducting attacks since 2017 and are associated with cyber activities aligned with the interests of Hamas. The cybersecurity firm reported that there is no evidence linking this campaign to the ongoing Israel-Hamas conflict.
The distribution of the spyware is believed to have started in April 2022.
Notably, the malware exhibits code similarities with a legitimate online dating app named Skipped. This suggests that the operators are either affiliated with the app’s developers or have attempted to replicate its features to deceive users.
Arid Viper hackers frequently employ seemingly genuine applications to distribute malware. They utilize counterfeit profiles on social media platforms to deceive potential targets into downloading these malicious apps, particularly Android spyware.
Cisco Talos has revealed a sprawling network of companies that are developing dating apps closely resembling or even identical to Skipped. These apps are expected to become available for download from the official Android and iOS app stores in the coming years.
Some of these apps include:
- VIVIO – Chat, flirt & Dating (Available on the Apple App Store)
- Meeted (formerly Joostly) – Flirt, Chat & Dating (Available on Apple App Store)
- SKIPPED – Chat, Match & Dating (with 50,000 downloads on Google Play Store)
- Joostly – Dating App! Singles (with 10,000 downloads on Google Play)
After installation, the Android spyware conceals itself on the target device, suppressing system and security notifications, including those with APK package names containing the term “security” on Samsung mobile devices and all Android phones.
The spyware requests various permissions, including recording audio and video, accessing contacts, call logs, reading SMS messages, changing Wi-Fi settings, terminating background apps, capturing photos, and generating system notifications.
The malware can collect system data, fetch an updated command-and-control (C2) domain from the current C2 server, and install additional hidden malware within seemingly legitimate apps like Facebook Messenger, Instagram, and WhatsApp.
Protection against spyware
To safeguard against Android spyware, install reliable antivirus software on your device. These tools can detect and eliminate spyware, preventing potential harm. Select a program from a reputable provider and keep it up to date for ongoing protection.
Additionally, ensure regular updates for your device, as these typically include security enhancements and address known vulnerabilities.
Furthermore, exercise caution when connecting to open Wi-Fi networks. Avoid accessing sensitive data, like banking information or passwords, on public Wi-Fi. If you must log in, employ a VPN to encrypt your connection and safeguard your personal information.