The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets.

“Arid Viper’s Android malware has a number of features that enable the operators to surreptitiously collect sensitive information from victims’ devices and deploy additional executables,” Cisco Talos said in a Tuesday report.

Active since at least 2017, Arid Viper is a cyber espionage that’s aligned with Hamas, an Islamist militant movement that governs the Gaza Strip. The cybersecurity firm said there is no evidence connecting the campaign to the ongoing Israel-Hamas war.

The activity is believed to have commenced no earlier than April 2022.

Interestingly, the mobile malware shares source code similarities with a non-malicious online dating application called Skipped, suggesting that the operators are either linked to the latter’s developer or managed to copy its features in an attempt at deception.

The use of seemingly-benign chat applications to deliver malware is “in line with the ‘honey trap’ tactics used by Arid Viper in the past,” which has resorted to leveraging fake profiles on social media platforms to trick potential targets into installing them.

Cisco Talos said it also identified an extended web of companies that create dating-themed applications that are similar or identical to Skipped and can be downloaded from the official app stores for Android and iOS.

  • VIVIO – Chat, flirt & Dating (Available on Apple App Store)
  • Meeted (previously Joostly) – Flirt, Chat & Dating (Available on Apple App Store)
  • SKIPPED – Chat, Match & Dating (50,000 downloads on Google Play Store)
  • Joostly – Dating App! Singles (10,000 downloads on Google Play)

The array of simulated dating applications has raised the possibility that “Arid Viper operators may seek to leverage these additional applications in future malicious campaigns,” the company noted.

Attack chains entail sending targets a link to a tutorial video for the purported dating application hosted on video-sharing services like YouTube. Present within the video’s description is a URL that, when clicked, directs to an attacker-controlled domain that serves the APK malware.

The malware, once installed, hides itself on a victim machine by turning off system or security notifications from the operating system and also disables notifications on Samsung mobile devices and on any Android phone with the APK package name containing the word “security” to fly under the radar.

It’s also designed to request for intrusive permissions to record audio and video, read contacts, access call logs, intercept SMS messages, alter Wi-Fi settings, terminate background apps, take pictures, and create system alerts.

Among other noteworthy features of the implant includes the ability to retrieve system information, get an updated command-and-control (C2) domain from the current C2 server, as well as download additional malware, which is camouflaged as legitimate apps like Facebook Messenger, Instagram, and WhatsApp.

The development comes as Recorded Future revealed signs possibly connecting Arid Viper to Hamas through infrastructure overlaps related to an Android application named Al Qassam that’s been disseminated in a Telegram Channel claiming affiliation to Izz ad-Din al-Qassam Brigades, the military wing of Hamas.

“They depict not only a possible slip in operational security but also ownership of the infrastructure shared between groups,” the company said. “One possible hypothesis to explain this observation is that TAG-63 shares infrastructure resources with the rest of the Hamas organization.”