Masquerading as a translation app, Furball spyware goes after Iranian citizens, ESET Research finds
Created: 2022-10-20 09:00:55
-
ESET researchers recently identified a new version of the Android malware FurBall being used in a Domestic Kitten campaign.
-
The Domestic Kitten campaign is ongoing, dating back to at least 2016.
-
It mainly targets Iranian citizens.
-
We discovered a new, obfuscated Android Furball sample used in the campaign.
-
It is distributed using a copycat website.
-
The analyzed sample has only restricted spying functionality enabled, to stay under the radar.
BRATISLAVA, KOŠICE — OCTOBER 20, 2022 — ESET researchers recently identified a new version of the Android malware FurBall being used in a Domestic Kitten campaign conducted by the APT-C-50 group. The Domestic Kitten campaign is known to conduct mobile surveillance operations against Iranian citizens, and this new FurBall version is no different in its targeting. Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books. The Domestic Kitten campaign is still ongoing, dating back to at least 2016.
This version of FurBall has the same surveillance functionality as previous versions. Since the functionality of this variant hasn’t changed, the main purpose of this update appears to be to avoid detection by security software. These modifications have had no effect on ESET software, however; ESET products detect this threat as Android/Spy.Agent.BWS. FurBall – Android malware used in this operation since these campaigns began – is created based on the commercial stalkerware tool KidLogger.
The analyzed sample requests only one intrusive permission – to access contacts. The reason could be its aim to stay under the radar; on the other hand, we also think it might signal it is just the preceding phase, of a spearphishing attack conducted via text messages. If the threat actor expands the app permissions, it would also be capable of exfiltrating other types of data from affected phones, such as SMS messages, device location, recorded phone calls, and much more.
“This malicious Android application is delivered via a fake website mimicking a legitimate site that provides articles and books translated from English to Persian (downloadmaghaleh.com). Based on the contact information from the legitimate website, they provide this service from Iran, which leads us to believe with high confidence that the copycat website targets Iranian citizens,” says ESET researcher Lukáš Štefanko, who discovered the malware.
“The purpose of the copycat is to offer an Android app for download after clicking on a button that says, in Persian, ‘Download the application’. The button has the Google Play logo, but this app is not available from the Google Play store; it is downloaded directly from the attacker’s server,” he adds.
For more technical information about Furball and Domestic Kitten, check out the blogpost “Domestic Kitten campaign spying on Iranian citizens with new Furball malware” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.