The threat actor dubbed Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) is believed to be the source behind an Android spyware attack targeting people who speak Arabic. The campaign is a fake dating application designed to collect information from compromised phones.
“Arid Viper’s Android malware comes with a variety of capabilities that permit the hackers to steal sensitive data from the devices of victims and deploy executables that are further re-usable,” Cisco Talos said in an article published on Tuesday.
The cyber spying operation, Arid Viper, is linked to Hamas, the Islamist militant group that runs Gaza. Gaza Strip. The cybersecurity firm says there’s no evidence linking the operation to the ongoing war between Israel and Hamas.
Also Read, UK Increases Funding for Cyber-Physical Infrastructure
It is believed that the activity will be in progress as early as April 2022.
The mobile malware has the source code of an online dating app that is not malicious, known as Skipped. This suggests that the creator of the latter is associated with the attackers or was able to copy its features to try to deceive.
The use of supposedly legitimate chat apps to distribute malware is a strategy that is similar to the ‘honey trap’ techniques employed by Arid Viper previously. Arid Viper has used fraudulent profiles on social media sites to deceive users and entice them into installing malicious software. Arid Viper has resorted to using fraudulent profiles on social media sites in order to entice potential victims into installing them.
Cisco Talos reported the discovery of a wide range of companies developing dating-related applications similar to Skipped, which can be downloaded via the official app stores on Android and iOS.
- VIVIO – Chat and flirt and Dating (Available through the Apple App Store)
- Meeting (previously Joostly) – Flirt, Chat & Dating (Available through the Apple App Store)
- SKIPPED Chat, Match, and dating (50,000 Downloads from Google Play Store)
- Joostly Dating App! For singles (10,000 downloaded on Google Play)
The range of simulated dating apps has given rise to the possibility that “Arid Viper operators may seek to use these applications to attack the target further,” the company noted.
Once installed, the malware is able to hide itself on a victim’s computer. It does this by disabling security or system notifications from the operating system. Additionally, it turns off notifications on Samsung mobile devices. It also does so on any Android phone with the APK package name containing “security” in the title, allowing it to go through the air unnoticed.
It also allows the intrusive permissions needed to record both video and audio recordings, view contact information, access call logs, receive SMS notifications, and modify Wi-Fi settings. Additionally, it can stop background applications, capture images, and even create system-wide alerts.
Also Read, Penn State Appoints Manager for $700 Million Stadium Renovation
Other notable features of the malware include the capability to retrieve details about the system. It can also obtain the latest command and control (C2) domain through the existing C2 server. It can also download additional malware that is disguised as legitimate apps, such as Facebook Messenger, Instagram, and WhatsApp.
Arid Viper is not a widely recognized or established terrorist organization, and there is no specific designation for it. It may refer to a hacking group or cyber threat actor rather than a traditional terrorist organization. The Al Qassam overlaps with an Android application, Al Qassam, which a Telegram Channel claiming affiliation to Izz ad-Din al-Qassam Brigades, the military arm of Hamas, released.
“They indicate not only a potential breach in operational security but also the possession of shared infrastructure among these groups,” the company stated. “One plausible explanation for this is that TAG-63 shares infrastructure resources with other factions within the Hamas organization.”
