Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label website. Show all posts

Android Spyware ‘Asin’ Uses Fake News and Utility Apps to Target Arabic-Speaking Users




Researchers at ESET have identified a previously undocumented Android spyware strain called Asin that is being distributed through fraudulent websites aimed at Arabic-speaking users.

According to the security company, the activity was first observed in early 2025 and involved several separate campaigns. The operators used different websites during each phase of the operation, presenting them as legitimate services to encourage users to download malicious Android applications.

Among the websites identified by researchers was govlens[.]net, which was registered in May 2025 and presented itself as a government-related news platform. Another site, pdf-reader[.]help, registered two days later, claimed to provide secure PDF viewing and editing capabilities. A third domain, live-war-map[.]com, registered in January 2025, advertised itself as a source of information about military incidents and conflict activity.

ESET found that some of these websites were promoted through social media accounts on Facebook and Telegram. The campaign's Telegram presence appeared to draw inspiration from Live Universal Awareness Map (Liveuamap), a legitimate service widely used to monitor armed conflicts, humanitarian crises, natural disasters, human rights developments, and geopolitical events around the world.

While the websites offered services that appeared useful or relevant to their intended audience, the downloaded applications contained hidden spyware components. Researchers said the malicious apps combined advertised functionality with surveillance capabilities operating in the background.

Additional evidence suggests the campaign remained active beyond its initial discovery. ESET identified several artifacts linked to Asin, including a sample uploaded to VirusTotal from Türkiye in October 2025. Another malicious Android package was downloaded from the domain c-pdf[.]net in December 2025 by a user operating a Xiaomi Redmi Note 13 Pro running Android 15.

Researchers also revealed a separate application disguised as Syria Defense Map. That sample was detected on a Xiaomi Redmi Note 13 Pro+ 5G device using Android 15 around mid-January 2026. In that case, the application was reportedly obtained through the website syriadefensemap[.]com.

As with many Android threats distributed outside official app marketplaces, users must manually install the software before it can operate. The spyware also relies on victims granting requested permissions, which can provide access to sensitive information stored on the device.

ESET has not attributed the activity to any known threat group, and the purpose behind the operation remains uncertain. However, the themes used throughout the campaign provide some indication of who may have been in the attackers' sights.

The company noted that three of the fraudulent applications, GovLens, WarMap, and Syria Defense Map, appear particularly relevant to individuals involved in open-source intelligence (OSINT) research. Because the applications focused on news gathering, conflict tracking, and investigative information, researchers believe Arabic-speaking journalists and OSINT practitioners may have been among the intended targets.

The findings illustrate how threat actors continue to package malicious code within applications that appear credible and useful. By exploiting interest in current events, government information, and conflict monitoring, attackers increase the likelihood that users will install software capable of collecting data from their devices without raising immediate suspicion. 

Ubuntu Services Remain Disrupted After DDoS Attack Targets Canonical Infrastructure

 



Several Ubuntu users reported problems installing updates and downloading packages after parts of Canonical’s infrastructure were disrupted during a Distributed Denial of Service (DDoS) attack. Canonical, the company behind the Ubuntu Linux distribution, confirmed that its online systems had been targeted.

In a statement released during the outage, Canonical said its web infrastructure was facing what it described as a sustained cross-border cyberattack and that teams were working to restore affected services. The company added that further updates would be shared through official channels once more information became available.

Discussions across Ubuntu community forums suggested that multiple services were affected during the incident, including Ubuntu’s security API and several Canonical-operated websites. Users also stated that software installations and system updates were temporarily unavailable or failing to complete properly.

Responsibility for the attack was later claimed by a group calling itself “The Islamic Cyber Resistance in Iraq 313 Team.” In Telegram posts attributed to the group, the attackers allegedly said they used a DDoS-for-hire platform known as “Beamed” to carry out the operation.

Beamed is described as a “booter” or “stresser” service, which are platforms that allow customers to pay for DDoS attacks. These services are often advertised as tools for testing website traffic capacity, although security researchers have repeatedly linked them to disruptive cyber operations. According to claims associated with the platform, Beamed is capable of generating attacks reaching 3.5 terabits per second, enough traffic to overwhelm major online infrastructure.

A DDoS attack works by flooding a server or network with enormous volumes of internet traffic from large numbers of connected devices at the same time. Once systems become overloaded, legitimate users may no longer be able to access websites, applications, or online services. Unlike ransomware campaigns or data breaches, the primary goal of most DDoS attacks is to interrupt availability rather than steal information directly.

To create these attack networks, threat actors typically compromise internet-connected devices using malware. Weak passwords, exposed systems, outdated software, and poorly secured smart devices are commonly targeted. Once infected, the devices become part of a botnet that can be remotely controlled through centralized management panels.

Access to these botnets is frequently sold through underground marketplaces and subscription-based services. Depending on the size and duration of the attack, prices can range from as little as $10 for lower-powered services to hundreds of dollars per month for larger and more persistent attacks.

The disruption drew attention within the open-source community because Ubuntu infrastructure is widely used across enterprise servers, development environments, cloud systems, and research institutions worldwide. Problems affecting package repositories or security update services can delay software deployments and patch management for organizations that rely on Ubuntu systems daily.

The incident also reflects how accessible DDoS-for-hire services have become over the past few years. Platforms offering attack infrastructure continue to reduce the technical barrier required to launch disruptive cyberattacks, allowing even low-skilled actors to rent large-scale attack capabilities for relatively small amounts of money.