Researchers at cybersecurity provider ESET detected five cyber espionage campaigns starting in 2022, targeting Android users with trojanized apps in Egypt and Palestine.

In a new report, ESET provided further details on these campaigns, which it attributed with medium confidence to the Arid Viper hacking group.

The ESET researchers named the multistage spyware used to infect the target Android apps ‘AridSpy.’

Trojanized Messaging Apps

These cyber espionage campaigns rely on distribution websites from which victims can download and manually install Android applications.

Some apps provided by these websites are seemingly legitimate chat apps trojanized with malicious code designed for espionage purposes – this is the AridSpy malware.

These malicious apps impersonate NortirChat, LapizaChat, ReblyChat, PariberyChat and RenatChat.

When ESET published its analysis, the campaigns using the first three trojanized chat apps were still ongoing, while the latter two were inactive.

“Note that these malicious apps have never been offered through Google Play and are downloaded from third-party sites. To install these apps, the potential victim is requested to enable the non-default Android option to install apps from unknown sources,” the ESET researchers added.

Fake ‘Palestinian Civil Registry’

In addition to trojanized messaging apps, the hackers behind AridSpy also used two seemingly legitimate apps distributed on the same dedicated websites: a ‘Palestinian Civil Registry’ app and an Arabic job opportunity app.

This former is inspired by an existing app on the Google Play Store, while the latter is a pure invention from the hackers.