Beware the cyber threat: Invasive Android spyware targets Android applications

Security researchers from ESET are drawing attention to the accelerating campaigns of fraudsters who infect Android applications. The immediate threat is the spy payload AridSpy, which currently targets popular programs in Palestine and Egypt.

Although there is no direct threat to users in the U.S., we have often witnessed the rapid development of events in similar attacks. Typically, after succeeding in one market, these threats quickly adapt to target popular applications in other countries, increasing the pool of potential victims. As reported by ESET, the software reaches Android phones in several stages, all starting with an infected application.

Once downloaded and installed by the user, the application fetches the first payload, which can subsequently download another data package. Only then is the entire software chain ready, enabling the attacker to exchange data with the server and spy on the user who has fallen victim to the attack? ESET reports that five campaigns have been identified so far, attributed to the Arid Viper group, also known as APT-C-23, conducted in this manner.

When effectively launched on the victim's smartphone, AridSpy can read a range of information, allowing detailed surveillance of the victim. It can access the device's location, contact list, call history, SMS messages, photos from memory, clipboard contents, and notifications. Additional capabilities come into play if the victim's device was previously rooted.

ESET points out that AridSpy reaches Android phones through various means, and the source of the problem is that applications are not always available on the official Google Play store. In the cases described abroad, the spy software has been distributed through a crafted Facebook page or alternative hosting, not linked to the official distribution of Android applications.