Arid Viper Camouflages Malware in Knockoff Dating App

APT group Arid Viper targets Arabic-speaking Android users with a spoof version of a dating app to collect sensitive user information.

According to research by Cisco Talos, the group replicates a dating app named Skipped with a malicious version using a similar name, available for download in the Google Play store.

Once downloaded, the operators share malicious links, masquerading as updates in order to get the user to a tutorial video. A URL in the video’s description directs users to an attacker-controlled domain that serves the custom malware.

The YouTube account was created in March 2022 and has only uploaded one video, which had around 50 views at the time of publishing the research. The company determined all of the domains used by the attackers in this campaign are solely registered, operated, and controlled by Arid Viper, and they follow the same naming patterns observed in previous iterations of Arid Viper infrastructure.

The malware can also disable security notifications, collect users' sensitive information, and deploy additional malicious applications on compromised devices. The researchers determined that the malware campaign has been active since at least April 2022.