Researchers at ESET have identified a previously undocumented Android spyware strain called Asin that is being distributed through fraudulent websites aimed at Arabic-speaking users.
According to the security company, the activity was first observed in early 2025 and involved several separate campaigns. The operators used different websites during each phase of the operation, presenting them as legitimate services to encourage users to download malicious Android applications.
Among the websites identified by researchers was govlens[.]net, which was registered in May 2025 and presented itself as a government-related news platform. Another site, pdf-reader[.]help, registered two days later, claimed to provide secure PDF viewing and editing capabilities. A third domain, live-war-map[.]com, registered in January 2025, advertised itself as a source of information about military incidents and conflict activity.
ESET found that some of these websites were promoted through social media accounts on Facebook and Telegram. The campaign's Telegram presence appeared to draw inspiration from Live Universal Awareness Map (Liveuamap), a legitimate service widely used to monitor armed conflicts, humanitarian crises, natural disasters, human rights developments, and geopolitical events around the world.
While the websites offered services that appeared useful or relevant to their intended audience, the downloaded applications contained hidden spyware components. Researchers said the malicious apps combined advertised functionality with surveillance capabilities operating in the background.
Additional evidence suggests the campaign remained active beyond its initial discovery. ESET identified several artifacts linked to Asin, including a sample uploaded to VirusTotal from Türkiye in October 2025. Another malicious Android package was downloaded from the domain c-pdf[.]net in December 2025 by a user operating a Xiaomi Redmi Note 13 Pro running Android 15.
Researchers also revealed a separate application disguised as Syria Defense Map. That sample was detected on a Xiaomi Redmi Note 13 Pro+ 5G device using Android 15 around mid-January 2026. In that case, the application was reportedly obtained through the website syriadefensemap[.]com.
As with many Android threats distributed outside official app marketplaces, users must manually install the software before it can operate. The spyware also relies on victims granting requested permissions, which can provide access to sensitive information stored on the device.
ESET has not attributed the activity to any known threat group, and the purpose behind the operation remains uncertain. However, the themes used throughout the campaign provide some indication of who may have been in the attackers' sights.
The company noted that three of the fraudulent applications, GovLens, WarMap, and Syria Defense Map, appear particularly relevant to individuals involved in open-source intelligence (OSINT) research. Because the applications focused on news gathering, conflict tracking, and investigative information, researchers believe Arabic-speaking journalists and OSINT practitioners may have been among the intended targets.
The findings illustrate how threat actors continue to package malicious code within applications that appear credible and useful. By exploiting interest in current events, government information, and conflict monitoring, attackers increase the likelihood that users will install software capable of collecting data from their devices without raising immediate suspicion.
