Arabic speaking users have been identified as the target of a newly discovered Android spyware campaign codenamed Asin, according to cybersecurity researchers at ESET. The spyware has been active in multiple coordinated campaigns observed since early 2025, using deceptive mobile applications designed to appear as legitimate tools and information services. These apps are distributed through fake websites and social media channels that mimic government news sources, document utilities and war related tracking platforms. Researchers said the campaign relies heavily on social engineering tactics, encouraging users to install malicious applications manually while granting them permissions that enable spyware functionality to operate on Android devices.
ESET identified several domains used in the campaign, including govlens[.]net, pdf-reader[.]help and live-war-map[.]com. The domain govlens[.]net is designed to impersonate a government news source and was registered on May 27, 2025, while pdf-reader[.]help poses as a secure PDF editing application registered on May 29, 2025. Another domain, live-war-map[.]com, claims to provide updates on military incidents and was registered earlier on January 20, 2025. Researchers also observed that two of these domains, govlens[.]net and live-war-map[.]com, were actively promoted through social media accounts on platforms including Facebook and Telegram. These accounts include facebook[.]com/GovLens and t[.]me/liveuamap_ar, which were used to distribute links and attract users interested in conflict tracking and geopolitical updates. ESET noted that the Telegram channel name appears to be inspired by Live Universal Awareness Map, commonly known as Liveuamap, a legitimate platform used for monitoring global conflicts, humanitarian incidents and geopolitical developments.
According to the analysis, each of the identified websites distributes Android applications that combine basic legitimate functionality with hidden spyware capabilities. The malware is designed to operate covertly once installed, requiring users to manually enable permissions that allow it to access sensitive information on infected devices. ESET found multiple artifacts linked to Asin, including one sample uploaded to VirusTotal from Türkiye in October 2025. Additional samples include an APK downloaded from c-pdf[.]net in December 2025, which was installed on a Xiaomi Redmi Note 13 Pro device running Android 15, as well as another version disguised as “Syria Defense Map” detected on Xiaomi Redmi Note 13 Pro Plus 5G devices around mid January 2026. In the latter case, the malicious application was distributed through syriadefensemap[.]com and required users to manually install it and grant permissions for the spyware to function as intended. Researchers highlighted that this installation method relies on user trust rather than system vulnerabilities, increasing the likelihood of successful infections when users believe they are accessing legitimate tools.
The threat cluster behind Asin remains unattributed, and its primary objectives are not yet fully confirmed by researchers. However, ESET believes the selection of lures suggests a targeted focus on individuals involved in open source intelligence and information gathering activities. The fake applications, including GovLens, WarMap and Syria Defense Map, appear to be tailored for users interested in tracking conflict zones and geopolitical developments. Based on this pattern, ESET assessed that Arabic speaking journalists and OSINT practitioners may be among the primary targets of the campaign. The spyware continues to be analysed as researchers monitor its infrastructure and distribution channels to better understand its operational scope and potential impact across mobile ecosystems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
