Arid Viper Targeting Arabic Android Users with Spyware Disguised as Dating App

Oct 31, 2023NewsroomCyber ​​War / Malware

The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) is alleged to be behind an Android spyware campaign targeting Arabic-speaking users with a fake dating app designed to harvest data from infected handsets.

“Arid Viper’s Android malware has several features that enable operators to covertly collect sensitive information from victims’ devices and deploy additional executables,” Cisco Talos SAYS in a Tuesday report.

Active since 2017, Arid Viper is a cyber espionage compatible with Hamas, an Islamist militant movement that governs the Gaza Strip. The cybersecurity firm said there was no evidence connecting the campaign to the continues Israel-Hamas war.


It is believed that the event began not earlier than April 2022.

Interestingly, the mobile malware shares source code similar to a non-malicious online dating application called Skipped, suggesting that the operators were involved with the developer later or were able to copy its features in an attempt to cheat.

The use of seemingly benign chat applications to deliver the malware “is consistent with the ‘honey trap’ tactics used by Arid Viper in the past,” which resorted to using fake profiles on social media platforms to trick potential targets into installing it.

Cisco Talos said it also identified an expanding web of companies that created dating-themed applications similar or similar to Skipped and can be downloaded from official app stores. for Android and iOS.

  • VIVIO – Chat, flirt and Dating (Available on the Apple App Store)
  • Met (formerly Joostly) – Flirt, Chat & Dating (Available on the Apple App Store)
  • SKIPPED – Chat, Match & Dating (50,000 downloads on Google Play Store)
  • Joostly – Dating App! Singles (10,000 downloads on Google Play)

The array of simulated dating applications raises the possibility that “Arid Viper operators may seek to use these additional applications in future malicious campaigns,” the company said.

The malware, once installed, hides itself on a victim machine by turning off system or security notifications from the operating system and also disables notifications on Samsung mobile devices and even which Android phone has an APK package name that contains the word “security” to fly under. the radar.


It is also designed to ask for restrictive permissions to record audio and video, read contacts, access call logs, intercept SMS messages, change Wi-Fi settings Fi, quit background apps, take photos, and create system alerts.

Among other important features of the implant include the ability to obtain system information, obtain an updated command-and-control (C2) domain from an existing C2 server, as well as download of additional malware, which is camouflaged as legitimate apps such as Facebook Messenger, Instagram, and WhatsApp.

The development comes as Recorded Future reveals clues that potentially connect Arid Viper to Hamas through infrastructure overlaps related to an Android application named Al Qassam that was circulated on a Telegram Channel that – claim to be affiliated with Izz ad-Din al-Qassam Brigadesthe military wing of Hamas.

“They describe not only a possible operational security slip but also the ownership of the infrastructure shared between the groups,” the company SAYS. “One possible hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment