Hackers Using New Version of FurBall Android Malware to Spy on Iranian Citizens

Cyber Security

The Iranian threat actor known as Domestic Kitten has been attributed to a new mobile campaign that masquerades as a translation app to distribute an updated variant of an Android malware known as FurBall.

“Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books,” ESET researcher Lukas Stefanko said in a report shared with The Hacker News.

The updates, while retaining the same surveillance functionality as earlier versions, are designed to evade detection by security solutions, the Slovak cybersecurity firm added.

Domestic Kitten, also called APT-C-50, is an Iranian threat activity cluster that has been previously identified as targeting individuals of interest with the goal of harvesting sensitive information from compromised mobile devices. It’s been known to be active since at least 2016.

A tactical analysis conducted by Trend Micro in 2019 reveals Domestic Kitten’s potential connections to another group called Bouncing Golf, a cyber espionage campaign targeting Middle Eastern countries.

APT-C-50 has primarily singled out “Iranian citizens that could pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more,” according to Check Point.

Campaigns undertaken by the group have traditionally relied on luring potential victims into installing a rogue application via different attack vectors, including Iranian blog sites, Telegram channels, and SMS messages.

Irrespective of the method employed, the apps act as a conduit to deliver a piece of malware codenamed by the Israeli cybersecurity company named Furball, a customized version of KidLogger which comes with capabilities to gather and exfiltrate personal data from the devices.

The latest iteration of the campaign uncovered by ESET involves the app operating under the guise of a translation service. Previous covers used to conceal malicious behavior span different categories such as security, news, games, and wallpaper apps.

The app (“sarayemaghale.apk“) is delivered via a fake website mimicking downloadmaghaleh[.]com, a legitimate site that provides articles and books translated from English to Persian.

What’s notable about the latest version is that while the core spyware functions are retained, the artifact requests only one permission to access contacts, limiting it from accessing SMS messages, device location, call logs, and clipboard data.

“The reason could be its aim to stay under the radar; on the other hand, we also think it might signal it is just the preceding phase of a spear-phishing attack conducted via text messages,” Stefanko pointed out.

Despite this handicap, the Furball malware, in its present form, can retrieve commands from a remote server that allows it to gather contacts, files from external storage, a list of installed apps, basic system metadata, and synced user accounts.

The reduction in active app functionality notwithstanding, the sample further stands out for implementing an elementary code obfuscation scheme that’s seen as an attempt to get past security barriers.

“The Domestic Kitten campaign is still active, using copycat websites to target Iranian citizens,” Stefanko said. “The operator’s goal has changed slightly from distributing full-featured Android spyware to a lighter variant.”