DesertScorpion

This spike in account creation towards the later half of 2019 was observed alongside an increase in attempts to distribute both iOS and Android malware as well as phish credentials from users.

In all cases the successful installation of these tools did not require any exploits. This suggests that Arid Viper operators continue to heavily rely on social engineering to distribute their malware.

Android malware was typically hosted on convincing looking attacker-controlled phishing sites.

The main changes from earlier research centered primarily around code obfuscation being added by those developing this malware.

Facebook found recent variants pretending to be popular Android applications for dating, networking, and regional banking in the Middle East.

the values for those C2 domains first contacted weren’t hardcoded in the Java layer, where they would be clearly visible, instead they were encrypted and stored in a separate ELF binary.

Retrieve photos from the camera roll ... Retrieve contacts ... Retrieve text messages ... Search for and return the path of files with a doc or PDF extension

The analyzed Arid Viper Android malware contained the following functionality: • Take screenshots or record video

Phenakite periodically recording audio and notifying C2 infrastructure... Similarly, Phenakite periodically uses the camera of a compromised device to take photos

Phenakite periodically uses the camera of a compromised device to take photos and sends these automatically to attacker infrastructure.

Search for files of specific types and add them to RAR archives for exfiltration

Use Base64 to obfuscate command and control communications

Some Primewire samples utilize “multipart/form-data” for command and control check-ins... other samples combine the C2 parameters into a single “application/x-www-form-urlencoded” POST body.

uploading any files present before recursively uploading any files in subdirectories.