Arid Viper

Lookout Coverage and Recommendation for Admins

Lookout users are protected from both the malicious sites used to deliver the malware as well as the malware itself. In order to ensure protection across the entire mobile fleet, Lookout admins should first enable Phishing & Content Protection (PCP) in the Lookout admin console. This will help protect against threats like this that leverage malicious sites to deliver malware to mobile devices. 

While all Lookout users are protected against this malware, admins should review their application policies in the Lookout console to protect against malicious and risky apps. Doing so will enable them to set appropriate risk levels and responses in alignment with their organizational security posture.

‍

Overview 

Earlier this week, researchers released findings related to the advanced persistent threat group known as Arid Viper, which has been active since at least 2013. Arid Viper targets high-profile individuals with targeted malware across Android, iOS, and Windows devices. Researchers in the Lookout Threat Lab have attributed a handful of mobile malware families, many of which the team discovered, to Arid Viper including DesertSpider, DesertScorpion, ReboundRAT, FrozenCell, HoneyRAT, RedFox and BadPatch. The research shows that Arid Viper continues to use similar tactics as before - socially engineering high-profile individuals to get targets to download a malicious Android APK file. 

Once the malware is installed on the target’s device, it relies on permissions like recording audio and video, reading contacts, taking pictures, intercepting SMS messages, and more. It can also hide itself by turning off OS-level security notifications and can be used to download additional malware that camouflages itself as legitimate apps like Messenger, Instagram, and WhatsApp.

Lookout Analysis

Lookout has detected almost 1,500 different samples of these malware families since they were discovered, which shows the malware is alive and well. Arid Viper uses a very common attack chain that continues to be highly effective - leveraging social engineering via phishing to get targeted individuals to download malicious apps. If an employee downloads an app laced with malware like FrozenCell, there’s no limit to what the attacker could come across by snooping on text messages, photos, and other data on the device. An easy example would be two executives texting about company financials, product development plans, or a possible acquisition. 

Socially engineering individuals on mobile devices is a tried and true tactic - and one that isn’t going anywhere. Its follow-on actions can vary - from installing malware to simply leading an individual to a fake login page of any number of corporate apps in order to steal their credentials. The risk gets particularly high when an individual uses their personal device for work since the number of ways those social engineering messages can be delivered increases substantially. 

‍