Cisco Talos has been monitoring the activities of the Arid Viper advanced persistent threat (APT) group [4], also known as APT-C-23 [1], Desert Falcon [1], or TAG-63 [1]. This group has been targeting Arabic-speaking Android users since 2017 by posing as a fake dating app called Skipped.
Description
The malicious version of Skipped [3], which can be downloaded from the Google Play store, disguises itself as an update and shares malicious links. These links lead users to a tutorial video that contains a URL directing them to a domain controlled by the attackers [3]. The domain serves custom mobile malware known as Android Package files (APKs) [2], which can disable security notifications [3], collect sensitive user information [2] [3], and deploy additional malicious applications [2] [3] [4].
Arid Viper’s spyware distribution campaign began in April 2022 and exhibits code similarities with the legitimate dating app Skipped [1]. The hackers utilize counterfeit profiles on social media to deceive users into downloading malicious apps [1]. The spyware hides itself on the target device [1], requests various permissions [1], and can install hidden malware within legitimate apps like Facebook Messenger and WhatsApp [1].
Arid Viper is associated with cyber activities aligned with Hamas [1], although the campaign is not directly linked to the Israel-Hamas conflict [1]. Additionally, Cisco Talos has discovered a network of dating-themed applications related to Skipped [2] [4], with connections to companies in Singapore [4], Dubai [2] [4], and a German-based publisher called Skipped GmbH. These applications may generate revenue for the APT operators by prompting users to purchase “coins” for continued interaction [4]. Skipped GmbH [2], the publisher of Skipped [2], is registered in Germany and appears to be associated with non-malicious dating applications published by companies in Singapore and Dubai [2]. Talos has identified multiple domains registered by Skipped GmbH that serve as product home pages for romance and dating-themed applications [2]. The websites associated with these domains use the same template and provide links to download the applications from app stores [2]. It is important to note that the legal agreements and publisher information on these sites may not refer to Skipped GmbH [2].
Conclusion
The activities of the Arid Viper APT group pose a significant threat to Arabic-speaking Android users. The group’s use of a fake dating app as a disguise and their ability to distribute spyware through legitimate apps highlight the need for increased user awareness and caution. It is crucial for users to verify the authenticity of apps and to only download from trusted sources. Additionally, app store operators should enhance their security measures to prevent the distribution of malicious applications. The discovery of a network of dating-themed applications related to Skipped raises concerns about the potential for similar APT groups to exploit popular app categories for their malicious activities. Continued monitoring and collaboration between cybersecurity organizations and app store operators are essential to mitigate the risks posed by such threats.
References
[1] https://firsthackersnews.com/arid-viper-target-android/
[2] https://blog.talosintelligence.com/arid-viper-mobile-spyware/
[3] https://www.darkreading.com/dr-global/arid-viper-camouflages-malware-in-knockoff-dating-app
[4] https://www.infosecurity-magazine.com/news/arid-viper-targets-arabic-speaking/
