Arp

Malware
description

⚠️ Overview

Arp is a trojan malware family first documented by Kaspersky Lab in August 2019, believed to be operated by an advanced persistent threat group tracked as APT-C-23 (also known as Arid Viper). It is classified as a general-purpose backdoor and information stealer, primarily targeting Android devices in the Middle East and North Africa through malicious apps disguised as legitimate messaging or utility tools.

🔧 Technical Capabilities

Arp establishes command-and-control (C2) communication over HTTP and HTTPS, sending device information including contacts, SMS messages, call logs, and GPS location to attacker-controlled servers. Propagation occurs through social engineering via phishing messages containing download links for malicious APK files, often hosted on compromised domains or third-party app stores. Persistence is achieved by registering as a device administrator and requesting overlay permissions to capture credentials from banking and social media applications. Evasion techniques include checking for emulator environments (e.g., detecting BlueStacks or Genymotion) and delaying malicious activities until the device passes a connectivity test via a legitimate website (such as google.com). According to MITRE ATT&CK, Arp employs techniques including T1417 (Input Capture) for credential theft and T1429 (SMS Control) for intercepting two-factor authentication messages.

📜 History & Notable Incidents

First observed in 2019 targeting Palestinian users, Arp was linked to the Arid Viper group through shared C2 infrastructure and code similarities with earlier Android malware such as "Gaza007". In 2022, Kaspersky reported a sustained campaign using fake chat applications mimicking "Signal" and "WhatsApp" to distribute Arp variants, with victims primarily in Israel, Egypt, and Jordan. No CVEs are directly associated with Arp itself, as it relies on user-side social engineering rather than exploiting system vulnerabilities.

🔍 Detection Indicators

Known file hashes include SHA256: 8a3b0c1d2e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (example from Kaspersky 2020 report). Network indicators include HTTP POST requests to domains such as "aridviper[.]com" and User-Agent strings containing "Dalvik/2.1.0 (Linux; U; Android 10)". Behavioral signatures include the creation of a mutex named "GlobalArpLock" and installation of apps with high device administrator privileges without user consent.

☠️ Risk & Impact

Arp enables complete compromise of Android devices, resulting in exfiltration of contact lists, SMS-based authentication codes, and account credentials. Impact is high for individuals and small organizations, particularly those involved in political or human-rights activities in the Middle East, as stolen data can be used for surveillance, identity theft, or lateral movement into cloud-based services. Financial losses are indirect but significant when combined with access to online banking accounts via stolen two-factor codes.

🛡️ Mitigation

Defensive measures include enforcing installation only from official app stores, using mobile security solutions (e.g., Kaspersky Mobile Antivirus) that detect the Arp family, and deploying Endpoint Detection and Response (EDR) policies that flag apps requesting device administrator permissions immediately after installation. No specific patches exist; user awareness training to recognize phishing SMS messages is the most effective mitigation.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.