Cybersecurity experts at Cisco Talos have exposed the latest operations of the espionage-driven Arid Viper advanced persistent threat (APT) group. The new campaign, active since April 2022, has been targeting Arabic-speaking Android users.
According to an advisory published earlier today, the modus operandi of Arid Viper involves the deployment of customized mobile malware in the Android Package (APK) format.
One of the key mysteries surrounding the Arid Viper campaign is the possible connection between the threat actor and the Israel-Hamas conflict. However, it’s essential to note that there’s no concrete evidence either confirming or denying such a link. Cisco Talos said they conducted thorough due diligence, collaborating closely with law enforcement agencies, before making their findings public.
From a technical standpoint, one intriguing facet of this operation is the striking resemblance between Arid Viper’s mobile malware and a legitimate dating application called Skipped. The malware shares a similar name and even utilizes the same project on the Firebase application development platform.
The connection raises questions about whether Arid Viper has affiliations with the dating app’s developers or if they’ve unlawfully gained access to the shared project.
To lure unsuspecting users into downloading their malicious mobile software, Arid Viper operatives distribute links masquerading as legitimate dating app updates. These links deploy malware onto the victims’ devices.
The Android malware boasts several features, including the ability to turn off security notifications, pilfer sensitive information and inject additional malicious applications into the compromised devices.
The investigation by Cisco Talos also uncovered a complex network of dating-themed applications related to Skipped. Notably, Skipped GmbH, the publisher behind Skipped, is a German-based entity seemingly tied to numerous dating apps published by companies in Singapore and Dubai. Many of these applications prompt users to purchase “coins” for continued interaction, potentially generating revenue for the APT operators.