Researchers from the Slovak company ESET have documented a new family of Android spyware codenamed Asin, targeting Arabic-speaking users. The malware is distributed via fake websites that imitate government news resources, PDF utilities, and interactive maps of military conflicts. According to ESET’s preliminary assessment, the main targets of the campaign may be journalists and open-source intelligence (OSINT) specialists in Arabic-speaking regions. The campaign remains unattributed — no links to any known group have been established.
Distribution mechanism and infrastructure
According to the researchers, the first Asin distribution campaigns were detected in early 2025. Each wave of attacks used separate websites with themed lures designed for a specific audience. The malicious apps distributed through these sites combined real functionality with hidden espionage capabilities — the user received a working app without suspecting any surveillance.
Identified infrastructure domains:
- live-war-map[.]com — a spoofed service for updates on military incidents (registered January 20, 2025)
- govlens[.]net — a spoofed government news source (registered May 27, 2025)
- pdf-reader[.]help — a spoofed secure PDF editor (registered May 29, 2025)
- c-pdf[.]net — an additional domain for distributing APKs
- syriadefensemap[.]com — used to distribute the “Syria Defense Map” app
Two of these resources — govlens[.]net and live-war-map[.]com — were promoted via specially created social media accounts: the www.facebook[.]com/GovLens page on Facebook and the t[.]me/liveuamap_ar channel on Telegram. As the researchers note, the name of the Telegram channel was presumably inspired by the legitimate Liveuamap platform — a well-known service for monitoring conflicts and geopolitical events around the world. Leveraging a recognizable brand increased potential victims’ trust in the shared links.
Discovered artifacts and timeline
ESET identified several Asin samples that made it possible to reconstruct the activity timeline:
- October 2025 — a sample was uploaded to VirusTotal from Turkey
- December 2025 — an APK was downloaded from the c-pdf[.]net domain by a user of a Xiaomi Redmi Note 13 Pro device running Android 15
- Mid-January 2026 — a sample masquerading as “Syria Defense Map” was found on a Xiaomi Redmi Note 13 Pro+ 5G device with Android 15, downloaded from syriadefensemap[.]com
In total, the researchers uncovered five malicious apps, three of which — GovLens, WarMap, and Syria Defense Map — are aimed at people interested in open-source investigations. An important detail: for the device to be compromised, the user must manually install the app and explicitly grant it the requested permissions. This indicates that the infection chain is built entirely on social engineering rather than on exploiting technical vulnerabilities.
Assessment of objectives and scope
ESET emphasizes that the campaign remains unattributed — no known APT group has been linked to this activity. The ultimate goals of the Asin operators are also unknown. However, the nature of the lures allows for preliminary conclusions about the intended audience.
Three of the five discovered apps are directly related to topics of interest to the OSINT community: conflict monitoring, government news, and war maps. This provides grounds to assume that the campaign is at least partially directed against Arabic-speaking journalists and open-source researchers. This category of professionals is highly valuable for intelligence operations: compromising their devices potentially opens access to source contacts, unpublished investigative materials, and information-gathering methodologies.
The geographical spread covers at least Arabic-speaking regions and Turkey, as evidenced by the sample uploaded to VirusTotal from that country.
Recommendations for protection
Given that Asin is distributed exclusively through third-party websites and requires manual installation, the main protective measures focus on preventing social engineering:
- Do not install APKs from third-party sources — use only the official Google Play Store. If an app is not available in the store, this is a serious red flag
- Verify domains before downloading: all identified malicious sites used non-standard domains (.help, .net, .com with atypical names) that are not associated with official organizations
- Critically evaluate links from Telegram and Facebook, especially from channels that imitate well-known platforms such as Liveuamap
- Check requested permissions: a PDF editor or conflict map should not request access to SMS, the microphone, or contacts
- Block the identified domains at the DNS or proxy level: govlens[.]net, pdf-reader[.]help, live-war-map[.]com, c-pdf[.]net, syriadefensemap[.]com
- Journalists and OSINT researchers are advised to use a separate device when working with potentially risky sources and apps
The Asin campaign demonstrates a targeted approach to compromising a specific professional audience through thematically relevant lures. Organizations and professionals working with open sources in Arabic-speaking regions should immediately check corporate and personal devices for the presence of the listed domains in browser history and network logs, and block these indicators of compromise at the network perimeter.
