Asin Android Spyware Targets Arabic Users via Fake News, PDF, and War Map Apps

ESET researchers have uncovered a new Android spyware strain dubbed "Asin" that has been actively targeting Arabic-speaking users through a series of malicious apps disguised as legitimate utilities. First detected in early 2025, the campaigns leverage several fraudulent websites impersonating a government news source, a secure PDF editor, and a live conflict-mapping service to distribute the malware. The threat actors have also promoted these lures via dedicated accounts on Facebook and Telegram, with the Telegram channel borrowing its name from the well-known Live Universal Awareness Map (Liveuamap) platform to appear credible.

The malicious infrastructure includes govlens[.]net, registered May 27, 2025 and impersonating a government news outlet; pdf-reader[.]help, registered May 29, 2025 and posing as a secure PDF editor; and live-war-map[.]com, registered January 20, 2025 and claiming to provide real-time military incident updates. Researchers have also identified a fourth domain, c-pdf[.]net, and a fifth, syriadefensemap[.]com, which hosted an APK masquerading as "Syria Defense Map." Anyone investigating these domains can use a WHOIS lookup to verify registration dates and ownership, or run a DNS leak test to ensure their own DNS queries aren't being exposed while researching the campaign.

Several Asin artifacts have surfaced in the wild, including a sample uploaded to VirusTotal from Türkiye in October 2025, an APK pulled from c-pdf[.]net in December 2025 on a Xiaomi Redmi Note 13 Pro running Android 15, and a third sample posing as "Syria Defense Map" detected on a Xiaomi Redmi Note 13 Pro+ 5G running Android 15 in mid-January 2026. Victims are required to manually sideload the app and grant extensive permissions, after which the malware blends legitimate functionality with stealthy surveillance capabilities. The activity cluster remains unattributed, and ESET has not yet determined the primary objective behind the operations.

Based on the thematic lures—government news, secure document handling, and conflict mapping—ESET assesses that Arabic-speaking journalists and OSINT researchers were likely the primary targets. Three of the five fraudulent apps uncovered, including GovLens, WarMap, and Syria Defense Map, appear designed for individuals engaged in open-source investigations. The campaign underscores the growing risk of watering-hole-style mobile attacks against at-risk user groups. Readers concerned about mobile surveillance can run a privacy checkup to review their device permissions and exposure footprint.