Masquerading as a translation app, Furball spyware goes after Iranian citizens, ESET Research finds

Next story
Editor
  • ESET researchers recently identified a new version of the Android malware FurBall being used in a Domestic Kitten campaign.

  • The Domestic Kitten campaign is ongoing, dating back to at least 2016.

  • It mainly targets Iranian citizens.

  • We discovered a new, obfuscated Android Furball sample used in the campaign.

  • It is distributed using a copycat website.

  • The analyzed sample has only restricted spying functionality enabled, to stay under the radar.

SINGAPORE — OCTOBER 20, 2022 —  ESET researchers recently identified a new version of the Android malware FurBall being used in a Domestic Kitten campaign conducted by the APT-C-50 group. The Domestic Kitten campaign is known to conduct mobile surveillance operations against Iranian citizens, and this new FurBall version is no different in its targeting. Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books. The Domestic Kitten campaign is still ongoing, dating back to at least 2016.

This version of FurBall has the same surveillance functionality as previous versions. Since the functionality of this variant hasn’t changed, the main purpose of this update appears to be to avoid detection by security software. These modifications have had no effect on ESET software, however; ESET products detect this threat as Android/Spy.Agent.BWS. FurBall – Android malware used in this operation since these campaigns began – is created based on the commercial stalkerware tool KidLogger.

The analyzed sample requests only one intrusive permission – to access contacts. The reason could be its aim to stay under the radar; on the other hand, we also think it might signal it is just the preceding phase, of a spearphishing attack conducted via text messages. If the threat actor expands the app permissions, it would also be capable of exfiltrating other types of data from affected phones, such as SMS messages, device location, recorded phone calls, and much more.

“This malicious Android application is delivered via a fake website mimicking a legitimate site that provides articles and books translated from English to Persian (downloadmaghaleh.com). Based on the contact information from the legitimate website, they provide this service from Iran, which leads us to believe with high confidence that the copycat website targets Iranian citizens,” says ESET researcher Lukáš Štefanko, who discovered the malware.

“The purpose of the copycat is to offer an Android app for download after clicking on a button that says, in Persian, ‘Download the application’. The button has the Google Play logo, but this app is not available from the Google Play store; it is downloaded directly from the attacker’s server,” he adds.

For more technical information about Furball and Domestic Kitten, check out the blogpost “Domestic Kitten campaign spying on Iranian citizens with new Furball malware” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.