AridSpy¶
AridSpy is a multistage Android spyware operated by Arid Viper (also tracked as APT-C-23, Desert Falcons, Two-tailed Scorpion), a Palestinian cyberespionage group active since at least 2013. ESET documented AridSpy in June 2024, identifying five campaigns that started in 2022 and distributed trojanized messaging apps, a fake job opportunity app, and a malicious Palestinian Civil Registry app. What distinguishes AridSpy from earlier Arid Viper Android tooling is its multistage payload architecture: the initial trojanized app downloads an AES-encrypted first-stage payload from C2, which then pulls a second-stage espionage module. This layered approach means the trojanized app itself contains no surveillance code, and the espionage payload persists independently even if the victim uninstalls the original app.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2022 (current campaigns); earlier variants traced to 2021 |
| Last Seen | Ongoing (three of five campaigns still active as of June 2024) |
| Status | Active |
| Type | Multistage spyware, espionage |
| Attribution | Arid Viper (APT-C-23 / Desert Falcons / Two-tailed Scorpion) |
| Distribution | Trojanized apps on dedicated phishing websites |
Origin and Lineage¶
Arid Viper has operated Android malware for years, with earlier tooling documented by SentinelOne under the SpyC23 label. AridSpy represents a significant evolution in the group's mobile capabilities. ESET's analysis confirmed that AridSpy includes a version number embedded in its exfiltrated data filenames, and this versioning traces back to 2021 variants disclosed by other researchers.
The transition to a multistage architecture is the defining change. Previous Arid Viper Android implants bundled all surveillance functionality into the initial app. AridSpy separates the delivery vehicle from the espionage payload, a design choice that reduces the chance of detection at install time and allows the operator to update espionage capabilities independently of the distribution app.
Arid Viper's broader operations span Windows, iOS, and Android, with a consistent focus on targets in Palestine, Egypt, and the wider Middle East. The group is attributed to Palestinian threat actors aligned with Hamas.
Distribution¶
AridSpy campaigns use dedicated websites that impersonate legitimate app download pages. The trojanized apps are built on top of real, functional messaging applications, so the victim gets a working chat app with embedded malware. Three of the five campaigns targeted messaging app users; one targeted job seekers; one targeted Palestinians seeking civil registry services.
| Vector | Details |
|---|---|
| LapizaChat | Trojanized version of StealthChat: Private Messaging, bundled with AridSpy |
| NortirChat | Trojanized version of Session, the encrypted messaging app |
| ReblyChat | Trojanized version of Voxer Walkie Talkie Messenger |
| Job opportunity app | Fake employment app distributed via a dedicated website |
| Palestinian Civil Registry | Not a trojanized clone; Arid Viper built a custom client that queries the legitimate Civil Registry server, with AridSpy embedded |
Attack Flow¶
- Target visits a dedicated website impersonating a messaging app, job portal, or civil registry service
- Target downloads and installs the trojanized APK
- The app functions normally (messaging works, civil registry queries return real data)
- The app checks whether security software is installed on the device
- If no security software is detected, AridSpy downloads an AES-encrypted first-stage payload from C2, decrypted with a hardcoded key
- The victim is prompted to install the first-stage payload, which masquerades as a Google Play Services update
- The first-stage payload operates independently; uninstalling the original trojanized app does not remove it
- The first-stage payload downloads the second-stage espionage module from C2
- The second-stage module begins active surveillance: keylogging, camera capture, call recording, file exfiltration
The Palestinian Civil Registry app is particularly notable. Rather than trojanizing an existing app, Arid Viper created a functional client that communicates with the legitimate Palestinian Civil Registry server. Victims get real civil registry data while being surveilled.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Keylogging | Records all visible and editable text across any application |
| Camera capture | Takes photos via front camera on screen lock/unlock events (throttled to 40-minute intervals, only above 15% battery) |
| Call recording | Records phone calls and ambient audio |
| Contact exfiltration | Extracts full contact list |
| SMS theft | Reads and exfiltrates all text messages |
| Call log access | Collects complete call history |
| Location tracking | Captures device GPS coordinates |
| WhatsApp database theft | Exfiltrates WhatsApp conversation databases |
| Facebook Messenger theft | Extracts Facebook Messenger communications separately |
| Notification monitoring | Captures all received notifications |
| Browser data theft | Exfiltrates bookmarks and search history |
| Photo/video thumbnails | Steals thumbnails of stored photos and videos |
| Device profiling | Reports installed apps (specifically checks for Messenger and WhatsApp), storage, battery, connectivity, timezone |
Multistage Architecture¶
AridSpy's payload chain operates in three distinct stages:
| Stage | Function |
|---|---|
| Trojanized app | Delivery vehicle; functional app with embedded loader; checks for security software before proceeding |
| First-stage payload | Downloaded from C2 as AES-encrypted blob, decrypted with hardcoded key; masquerades as Google Play Services update; operates independently of the trojanized app |
| Second-stage payload | Downloaded by first stage; contains all espionage functionality; handles data collection and exfiltration |
This architecture provides several operational advantages. The trojanized app itself contains no surveillance code, reducing the likelihood of detection during analysis. The first-stage payload persists even if the victim becomes suspicious and uninstalls the original app. The operator can update espionage capabilities by pushing a new second stage without redistributing the initial app.
Dual C2 Channels¶
| Channel | Purpose |
|---|---|
| Firebase C2 | Receives commands and configuration updates |
| Hardcoded C2 domain | Data exfiltration endpoint, separate from the command channel |
The separation of command and exfiltration infrastructure mirrors patterns seen in other sophisticated Android malware families, making takedown of one channel insufficient to disrupt the full operation.
Technical Details¶
Security Software Detection¶
Before downloading the first-stage payload, the trojanized app checks whether security software is installed on the device. If detected, the app does not proceed with payload delivery. This is a simple but effective gate: devices without antivirus installed receive the full payload chain, while security researchers' test devices may not trigger the download.
AES Encryption¶
The first-stage payload is encrypted with AES using a hardcoded key embedded in the trojanized app. While this protects the payload in transit and on disk before installation, the hardcoded key means any analyst with a sample of the trojanized app can decrypt the payload. The encryption serves primarily as an evasion layer against automated scanning rather than protection against targeted analysis.
Camera Capture Logic¶
AridSpy's camera capture is throttled to avoid draining the battery or alerting the victim. Photos are taken only when the screen is locked or unlocked, with a minimum interval of 40 minutes between captures and a battery threshold of 15%. The default camera is front-facing, but the operator can switch to the rear camera via a Firebase command.
Version Tracking¶
AridSpy embeds a version number in the filenames of exfiltrated data. ESET noted that this versioning has been consistent across campaigns, including earlier 2021 variants, suggesting a continuously maintained codebase rather than one-off builds.
Target Regions¶
| Region | Details |
|---|---|
| Palestine | Primary target; Palestinian Civil Registry app campaign, messaging app campaigns |
| Egypt | Secondary target; messaging app campaigns |
Arid Viper's targeting aligns with Palestinian political and intelligence interests. The Palestinian Civil Registry campaign is specifically designed for targets within Palestine, while the trojanized messaging apps cast a wider net across Palestine and Egypt.
Notable Campaigns¶
2022: AridSpy campaigns begin distributing trojanized messaging apps through dedicated websites. LapizaChat (based on StealthChat), NortirChat (based on Session), and ReblyChat (based on Voxer) are deployed across separate campaigns.
2022-2024: A fake job opportunity app is distributed via a dedicated website, targeting job seekers in the region.
2022-2024: The Palestinian Civil Registry campaign launches, using a custom-built app that returns real civil registry data while deploying AridSpy's multistage payload chain. This campaign registers the majority of Palestine-based infections.
June 2024: ESET publishes the full technical analysis of AridSpy, documenting five campaigns, three of which remain active at the time of publication. The research details the multistage architecture, trojanized app list, and espionage capabilities.
Related Families¶
AridSpy is the latest in Arid Viper's Android tooling lineage. SentinelOne previously documented the group's SpyC23 family, which shared the same operational focus on Middle Eastern targets but lacked AridSpy's multistage payload architecture.
Within the broader Android spyware landscape, AridSpy's multistage approach parallels Predator's Alien-loader-to-Predator-implant chain and Hermit's modular architecture. All three separate the initial delivery from the espionage payload, though through different mechanisms. Predator uses exploit chains for delivery, Hermit relies on ISP-level network injection, and AridSpy uses trojanized functional apps on phishing websites.
The trojanized messaging app strategy shares similarities with PJobRAT, which also distributes fake chat apps for espionage. Both families target specific regions with social engineering tailored to local contexts, and both prioritize WhatsApp and messaging data extraction. The key difference is architectural: PJobRAT bundles all functionality in a single app, while AridSpy distributes its capabilities across multiple stages.
AridSpy's keylogging across all applications, camera capture on device events, and notification monitoring place it in the same capability tier as commercial spyware like FinSpy, though its distribution relies entirely on social engineering rather than exploit delivery.