A new Android spyware campaign called Asin has targeted Arabic-speaking users through fake utility, news and conflict-tracking apps, according to a technical analysis by ESET. The activity was first seen in early 2025 and involved multiple websites and social media accounts used to distribute malicious APK files.
KEY FACTS
- Campaign themes The fake sites posed as a government news source, a PDF editor and a war map service.
- Distribution Two of the sites were promoted through Facebook and Telegram accounts.
- Targets The app lures suggest a focus on journalists and OSINT researchers in Arabic-speaking regions.
- Unknowns The cluster remains unattributed, and the main objective has not been confirmed.
The sites identified by the report included govlens[.]net, pdf-reader[.]help and live-war-map[.]com. The first two were registered in May 2025, while the war map domain was registered in January 2025.
The malware was also linked to several samples found on VirusTotal and on Android devices running Android 15, including one downloaded from c-pdf[.]net and another from syriadefensemap[.]com. In the last case, the user had to manually install the app and grant permissions before the spyware could work.
Three of the fraudulent apps, GovLens, WarMap and Syria Defense Map, appeared aimed at people interested in open-source investigation. The disclosure said that makes it possible the campaign was meant at least in part for Arabic-speaking journalists or OSINT practitioners.
WHY IT MATTERS
The campaign shows how mobile spyware can be hidden inside apps that appear useful to people tracking news and conflict updates. Because the apps require manual installation and permissions, users still need to be cautious about downloads outside official app stores.