Arid Viper

12299284455?profile=RESIZE_400xThe Arid Viper group has a long history of using mobile malware, including at least four Android spyware families and one short-lived iOS implant, Phenakite.  The SpyC23 Android malware family has existed since at least 2019, though shared code between the Arid Viper spyware families dates back to 2017. It was first reported in 2020 by ESET in a campaign where the actor used a third-party app store to distribute weaponized Android packages (APK).  That campaign featured several apps that mimic Telegram and Android application update managers.[1]

Through 2022 and early 2023, Arid Viper developed several newer SpyC23 versions that share these themes: two apps mimic Telegram, while another is internally called APP-UPGRADE but is based on a romance-themed messaging app called Skipped Messenger. Cisco Talos recently reported on the history of Skipped Messenger, revealing that the once-benign dating application was likely passed from the original developer to the Arid Viper actor.

SentinelLabs compared these newer versions of SpyC23 to the earlier 2020 version, as well as several older Android spyware families associated with Arid Viper: GnatSpy, FrozenCell, and VAMP. Many changes have been made in SpyC23’s development; however, there are notable overlaps with these older families, and the taxonomy is less distinct.

App Analysis - The theme of these applications centers on messaging and communications. We identified two unique themes: one mimics Telegram, and the other mimics an apparent dating-themed app called Skipped Messenger. The group has previously relied on Telegram-themed messengers and romance-themed lures and apps.

Arid Viper often relies on social engineering to deliver malware with pretexts, allowing operators to engage closer to their intended victims. The social engineering approach is a boon for delivering Android malware, as there are many hurdles for the actor to overcome before a user successfully installs a malicious app. Working the installation flow into a social engineering pretext is likely more effective than expecting users to install spyware successfully without prompting.

There is a non-weaponized version of Skipped Messenger (SHA-1: 6e1867bd841f4dc16bef21b5a958eec7a6497c4e) that shares the same Firebase service hostname skippedtestinapp[.]firebaseio[.]com as the malicious version. As the Talos report noted, Skipped was originally a legitimate dating app. The Google Play store version was last updated in August 2021.
12299285456?profile=RESIZE_584xSkipped Messenger & Telegram app main screen

Like most malicious Android apps, these apps ask users to enable permissions that facilitate spyware activities.
12299285499?profile=RESIZE_400xSkipped Messenger screens prompting the user to enable Accessibility features

The application permissions give a high degree of control over the device, including:

  • Accessing the phone’s location
  • Making calls without user interaction
  • Monitoring calls made by the user
  • Recording with the microphone, capturing audio output
  • Read & Write to storage
  • Read & Write to the Contacts list
  • Modifying network state
  • Collecting a list of accounts used on the device
  • Downloading files to the phone without user interaction
  • Launching Java archive (JAR) files as a Service
  • Reading notifications received on the device, as well as any connected wearables

The developer employed anti-decompilation and anti-virtualization techniques to complicate the analysis.  Each of these APKs contains application code that is obfuscated. On emulated Android devices, the apps flash and repeatedly cycle through prompts even after the requested permissions have been granted.

Comparing these new versions with older SpyC23 variants, there is a significant overlap in package names, which fortifies the relationship between the old and new versions.  In the image below, the older version on the left houses malicious activity in the update.BBM package, and the version we discovered on the right houses similar subpackages in the apps.sklite.pacJava package.
12299285660?profile=RESIZE_400xJava subpackage names: SpyC23 2020 (left) and APP-UPGRADE APK 2023 (right)

The overlaps continue in the class names. The actor frequently names classes after people’s names, as outlined in the rc_cola/tas_ran_rc_col package structure.
12299285671?profile=RESIZE_584xJava class names: SpyC23 2020 (left) and APP-UPGRADE APK 2023 (right)

These applications are quite large, making analysis of each class impractical. Instead, we will focus on several exciting classes and methods.

ACCAPPService - This class handles some communications to the C2.  The class contains code for the user to uninstall the application.  The SendToServerTask subclass logs when the user is in a ‘dangerous’ menu and parses input containing the active menu name for the English words ‘apps’ or ‘applications’ and the Arabic word for ‘Applications.’
12299285676?profile=RESIZE_584x“User In Dangerous Menu” logging messages

Brodie - This class is responsible for much of the app’s upload request handling, acting as an interface between the app and the C2 server. Brodie contains a method named isProbablyArabic, suggesting again that these apps are used against Arabic-speaking targets.
12299285686?profile=RESIZE_584xisProbablyArabic method from Brodie class

CallRecService - This service enables the spyware’s call recording feature. The class is imported from an external library, libcallrecfix.so, and runs as a service. The Unix library is based on at least two open-source Android call recording projects, though neither are actively maintained. This was implemented in 2020 and has been a staple of SpyC23 iterations. The library is a binary compiled for each app’s compatible architectures.

checkRaw - This Audio upload service has many of the same status logging strings and media recording parameters seen in older versions of Arid Viper’s Android toolsets, including FrozenCell, reported by Lookout in 2017, and VAMP, which was reported by Palo Alto in 2017 as well.

12299285084?profile=RESIZE_710xRcNewService class from FrozenCell (left) and check raw class from the 2023 APP-UPGRADE version of SpyC23 (right)

Some elements of this audio recording code are present in GitHub repositories described as a teardown of the Telegram Android app.  While this is potentially an adaptation of open-source software, the similarities between the SpyC23 APKs are consistent, and the external versions do not have the same variables or logging messages.

Moller - This class is notable because it contains code that spans back to earlier versions of Arid Viper’s Android spyware.  We identified a 2017 GnatSpy sample from Trend Micro’s Arid Viper reporting that shares the same upload functionality through a subclass JsDirService.

12299285701?profile=RESIZE_584x

12299285089?profile=RESIZE_710x

Panda - This class loads methods from external libraries libRoams.so and lib-uoil.so. The code imports several functions related to manufacturer-specific implementations, including Huawei, Oppo, and Xiaomi.  The Panda class imports methods from the open-source Gotev Android Upload Service, which was also used by the older versions of SpyC23.  Panda imports methods from the OKhttp library to craft HTTP requests. When the OnCreate method runs, it initializes the Gotev service, parses the C2 configuration values, and registers GarciaReceiver. This receiver monitors for a connection state change, which was also present in older versions.

12299286666?profile=RESIZE_710xonCreate method inside the Panda class

Like older versions of SpyC23, this class has logic to parse and decode the C2 server details from strings stored inside the lib-uoil.so and related binaries. The strings are encoded partially in Base64, with an additional layer likely on top to parse the correct C2 server URIs. The previous technique of dropping the strings before and after the hyphen remains, and further substitution removes spaces and underscores, replacing them with hyphens.

C2 Infrastructure - The C2 servers used by these apps continue the longstanding Arid Viper domain naming scheme of a hyphenated hostname that uses Western-sounding peoples’ names. The primary C2 servers are:

  • luis-dubuque[.]in– C2 domain used by APP-UPGRADE Skipped Messenger APK
  • danny-cartwright[.]firm[.]in– C2 domain used by com.teleram.app APK
  • conner-margie[.]com– C2 domain used by com.alied.santafi

Analysts have included additional network indicators associated with app features unique to the APKs analyzed, including Google Cloud project hostnames and Firebase messaging hostnames.

Conclusion- The discovery of these APKs demonstrates that Arid Viper continues to thrive in the mobile malware space.  The dedication to anti-analysis and obfuscation suggests that the developers are aware of research analysis and have applied measures to deter them and remain under the radar.  The presence of code from other Arid Viper Android spyware families in SpyC23 fortifies the connection between this group’s various iterations of tools.  The resulting bloat from carrying over older versions of the spyware aids attribution in the complex mobile malware landscape that pervades the Middle East.

Arid Viper has historically targeted military personnel in the Middle East, as well as journalists and dissidents.  The most recent versions of SpyC23 highlight the actor’s focus on Arabic speakers, which is an exciting development given the actor’s historical penchant for targeting Israeli military personnel with Android spyware.

Those at risk of being targeted by this group should avoid installing applications from outside the Google Play Store.  Everyone should remain wary when installing new apps from any source: does this app need the permissions it requests? In the case of SpyC23 apps, there is a lengthy walkthrough with images guiding the user to accept an inordinate number of permissions.

SentinelLabs would like to thank the research team at Cisco Talos for their collaboration on this research.

Indicators of Compromise

SHA1

Notes

03448782d5b717b7ad1a13b1841119bc033f40dd

Teleram /lib/mips/librealm-jni.so

12af178d20ec7e1294873304b0ea81b5fcfd6333

Teleram /lib/armeabi-v7a/librealm-jni.so

17ab647f3b7ccf15b82f51e19301e682f7e8c82a

APP-UPGRADE /armeabi-v7a/libRoams.so

29814eacb12b53efcda496485765a30c3c2b589e

Santafi /lib/x86_64/libsonsod.so

2f0895fa9e1a404da46f56ab13c131de1a0eac1e

APP-UPGRADE /x86/libRoams.so

300fb7a0597519b99b6120d16666be9b29ee5508

APP-UPGRADE /x86_64/libcallrecfix.so

31ba9425007d17745bb6b44c85042dcbd15fe837

Santafi /lib/x86_64/libcallrecfix.so

46bfcb28cde424d0d11e5772c2683391b0f1491a

com.teleram.app.apk a Telegram-themed APK

4f58d69c53685365a4b6df70eca6fa203e6ba674

APP-UPGRADE /x86_64/libRoams.so

532876649c027ebaea56604fbcd7ce909a8aa4e3

APP-UPGRADE /arm64-v8a/libcallrecfix.so

5476d52ab6f982bb29ba2ace0074e77523f9f655

APP-UPGRADE /x86/libcallrecfix.so

55c9c7a53c9468d365743f155b2af7e189586822

APP-UPGRADE /arm64-v8a/libRoams.so

5a238ade0b402c3dbef7c82406649f27ae6b479a

Santafi /lib/x86/libcallrecfix.so

600442488eb9536c821188dfad9d59e987ff7a56

Santafi /lib/armeabi-v7a/libsonsod.so

6f68e8645b4b88d7608310b7736749368398914a

Teleram /lib/x86/librealm-jni.so

793177ffe60030fefbe6a17361b266980f151fa4

Santafi /lib/arm64-v8a/libcallrecfix.so

893dae5ded7eb0a35e84867e62cbbb7e831aac97

Santafi /lib/arm64-v8a/libdalia.so

9c1c02a387b0aa59b09962f18e4873699d732019

Santafi /lib/armeabi-v7a/libcallrecfix.so

9d9696bc552dc5dbb4d925d0fb04f77018deef50

Teleram /lib/x86_64/librealm-jni.so

a610a05d6087bc1493e505fd4c1e4ef4b29697e3

com.alied.santafi.apk a Telegram-themed APK

a8937d38cc8edb9b2dfb1e6e1c5cad6f63ae0ecc

APP-UPGRADE /x86/libuoil.so

a8e0b6fda4bc1bd93d2a0bc30e18c65eb7f07dec

Teleram /lib/arm64-v8a/libcallrecfix.so

aacb4e5f9e6b516b52d0008f2e5f58c60b46610b

Teleram /lib/armeabi-v7a/libcallrecfix.so

ae8d4853377f4a553ecad0c84398ef9dc8735072

Teleram /lib/x86/libcallrecfix.so

b9835174a9a4445dc4d5ff572a79c54f234120bf

Santafi /lib/armeabi-v7a/libdalia.so

c0f4592df97073fb5021e2acee0a3763b8fbaf76

Teleram /lib/x86_64/libcallrecfix.so

c1c5a00b22e7d12e8a41d5d8fbe625ecb218fa7c

Santafi /lib/arm64-v8a/libsonsod.so

c396327a2332bd6fbc771a97b5e0d4d1a43e8f72

APP-UPGRADE themed Skip Messenger APK

ce954dcc62f17f6e31bfa9164f5976740f1b127e

APP-UPGRADE /arm64-v8a/libuoil.so

cfa5ef1bff2746407f96ab5c86b66ec5cf305e77

Santafi /lib/x86_64/libdalia.so

da690c4b1569e1f0b0734762c0f274e3ba33ded1

APP-UPGRADE /armeabi-v7a/libuoil.so

de92fb9af9d6e68a001b6263b9c3158325d77f99

Teleram /lib/arm64-v8a/librealm-jni.so

e05ce0496c6d20c24997c17a65c44ccd08cb2a10

APP-UPGRADE /armeabi-v7a/libcallrecfix.so

eb14e05364e675fcf03934be549ae96b36b12af0

Santafi /lib/x86/libdalia.so

f8adf63d34eb54121389b9847771d110978aec8e

APP-UPGRADE /x86_64/libuoil.so

fb7b9681567478a660413ec591fc802e35a55b7e

Santafi /lib/x86/libsonsod.so

 

Domain

Notes

1058215140016-kv5c01acm9r7argbis96lmudg6p68koe.apps.googleusercontent.com

Google Cloud content hostname used by APP-UPGRADE Skipped Messenger APK

1095841779797-idgdkor5mh0lbjeq5spcksbj7jpdlaj9.apps.googleusercontent.com

Google Cloud web client hostname used by com.alied.santafi

314359296475-glearr20do927s2v75cgiocb585gqjgd.apps.googleusercontent.com

Google Cloud web client hostname used by Teleram app

conner-margie[.]com

C2 domain used by com.alied.santafi

danny-cartwright[.]firm[.]in

C2 domain used by com.teleram.app APK

jolia-16e7b.appspot.com

Google Storage bucket used by com.alied.santafi

luis-dubuque[.]in

C2 domain used by APP-UPGRADE Skipped Messenger APK

rashonal.appspot.com

Google Cloud web client hostname used by APP-UPGRADE Skipped Messenger APK

skippedtestinapp.firebaseio.com

Firebase service for Skipped Messenger APKs

yellwo-473d0.appspot.com

Google Storage bucket used by Teleram app

 

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We thank our colleagues at Sentinel Labs for sharing this great collection and analysis.  By sharing, we all will be cyber-safe.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5993554863383553632

 

[1] https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!