Emerging ThreatsMalware & Ransomware

ESET Exposes Android Spyware Asin Targeting Arabic Users

Analyst 207||Source: TheHackerNews
Smartphone on cluttered desk in Middle Eastern-style room with Arabic patterns, beside newspapers and manual.

"Each of these websites distributes a malicious app that combines legitimate functionality with stealthy spyware capabilities," ESET said.

ESET identifies Asin, an Android spyware cluster targeting Arabic speakers

The Slovakian cybersecurity company ESET reported in June 2026 that a new Android spyware family codenamed Asin has been observed spreading through multiple campaigns that began in early 2025. According to ESET, the activity specifically targeted Arabic-speaking users by offering apps that pose as legitimate tools tied to news, PDF editing, and battlefield updates.

Fraudulent websites and social accounts used to lure victims

ESET traced the distribution to at least three purpose-built domains and two social accounts. The domains and their stated impersonations are:

  • govlens[.]net — impersonating a government news source (registered on May 27, 2025)
  • pdf-reader[.]help — impersonating a secure PDF editor (registered on May 29, 2025)
  • live-war-map[.]com — claiming to offer updates on military incidents (registered on January 20, 2025)

Two of those sites were also promoted via dedicated social accounts: www.facebook.com/GovLens and t.me/liveuamap_ar. ESET noted that the Telegram channel's name is likely inspired by Live Universal Awareness Map (Liveuamap), a legitimate, well-known platform for mapping conflicts and related events.

Artifacts, timelines and how the apps reached devices

ESET cataloged multiple artifacts tied to the Asin activity cluster. Examples include a sample uploaded to VirusTotal from Türkiye in October 2025, an APK downloaded from the domain "c-pdf[.]net" in December 2025 by a user on a Xiaomi Redmi Note 13 Pro running Android 15, and a sample masquerading as "Syria Defense Map" detected around mid-January 2026 on a Xiaomi Redmi Note 13 Pro+ 5G device also running Android 15.

In the Syria Defense Map case the APK was reported as downloaded from syriadefensemap[.]com. ESET emphasized that the user must manually install the APK and grant it the requested permissions for the spyware to function — a reminder that these campaigns relied on social engineering to bypass platform controls.

Targeting signal: journalists and OSINT practitioners

ESET highlighted the choice of lures as a key indicator of who the operators may have been targeting. "Three out of the five fraudulent apps we unearthed - GovLens, WarMap, and Syria Defense Map - seem primarily intended for people interested in open-source investigation," the company said. "It thus seems possible that this set of activities may have been, at least partially, meant to target Arabic-speaking journalists or OSINT practitioners."

The use of a fake secure PDF editor and multiple war-map themed sites reinforces that pattern: the campaigns blended legitimate utility and topical appeals to attract users working with documents, maps, or real-time incident reporting.

What this means for technologists, journalists, and Android users

  • Technologists and security teams: Monitor the identified domains and known artifacts (the VirusTotal upload from Türkiye, c-pdf[.]net downloads, and syriadefensemap[.]com samples) and watch for similar APKs targeting Android 15 devices. The need for manual installation means telemetry that flags sideloaded APKs and unexpected permission grants may be decisive.
  • Journalists and OSINT researchers: Be cautious of apps branded as government news sources, war maps, or secure PDF utilities, especially when promoted via social platforms such as www.facebook.com/GovLens and t.me/liveuamap_ar. The campaigns appear designed to appeal to those gathering open-source information in Arabic-speaking regions.
  • Android users: Remember that these samples required manual installation and permission grants to operate; avoid sideloading APKs from unverified domains and question unexpected requests for broad device permissions.

ESET has not attributed the activity cluster to any actor, and the primary objectives of the campaigns remain unknown. The combination of topical lures, dedicated promotional accounts, and multiple artifacts appearing across late 2025 and early 2026 frames a focused, evolving effort — but one whose origins and full scope have yet to be established.

Read the original ESET-based report at: https://thehackernews.com/2026/06/android-spyware-asin-targets-arabic.html

Emerging ThreatsMobile SecurityNation-StateEsetAndroid SpywareSpyware OperationsAsinArabic
Related Intelligence

Continue Reading

Network router in a dimly lit server room setting.

Cisco SD-WAN Zero-Day Under Active Attack

Cisco SD-WAN is under siege from a zero-day vulnerability that's being actively exploited - and there's no patch in sight, leaving sys admins scrambling to protect their networks.

Analyst 207
Dental professional looks concerned while viewing laptop in a brightly-lit healthcare setting.

DentaQuest Breach Exposes 2.6M Accounts

A massive data breach at dental benefits provider DentaQuest has exposed a staggering 2.6 million accounts, after hackers stole over 234 GB of sensitive information and released it following failed negotiations with the company.

Analyst 207
Internet-exposed automatic tank gauge system at a gas station with pumps and convenience store in the background.

US Gas Station Tank Gauge Systems Vulnerable to Ongoing Attacks

US gas stations are under cyberattack, with hackers exploiting vulnerable tank gauge systems to gain control and wreak havoc. A joint advisory from top US agencies is urging critical infrastructure organizations to secure their internet-exposed systems ASAP.

Analyst 207
Employees work at desks with laptops and computers, some with blurred screens, in an office with a cityscape visible…

Verizon DBIR Exposes Growing Browser-Based Threats

Employees are unwittingly putting sensitive data at risk by using AI tools like ChatGPT and Gemini on corporate devices, with 67% accessing these services with personal accounts and 45% using them regularly. This Shadow AI phenomenon is rapidly escalating, with a fourfold year-over-year increase in insider risk.

Analyst 207