Hackers Using New Version of FurBall Android Malware to Spy on Iranian Citizens

FurBall Android Malware

The Iranian threat actor known as house kitten has been attributed to a new mobile campaign masquerading as a translation app to distribute an updated variant of Android malware called FurBall.

“Since June 2021, it has been distributed as a translation app via a mockup of an Iranian website that provides translated articles, magazines and books,” said ESET researcher Lukas Stefanko in a report shared with The Hacker News.

While the updates retain the same monitoring functionality as previous versions, they are designed to evade detection by security solutions, the Slovakian cybersecurity firm added.

Domestic Kitten, also known as APT-C-50, is an Iranian threat activity cluster previously identified as targeting individuals of interest with the aim of harvesting sensitive information from compromised mobile devices. It is known to have been active since at least 2016.

Internet security

A tactical analysis conducted by Trend Micro in 2019 reveals Domestic Kitten’s potential links to another group called Bouncing Golf, a cyberespionage campaign targeting Middle Eastern countries.

APT-C-50 primarily singled out “Iranian citizens who may pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS supporters, Iran’s Kurdish minority, and more,” according to Check Point.

Campaigns run by the group have traditionally relied on tricking potential victims into installing a rogue application via various attack vectors, including Iranian blog sites, Telegram channels, and SMS messages.

FurBall Android Malware

Regardless of the method used, the apps act as a conduit to deliver malware codenamed by Israeli cybersecurity company Furball, a customized version of KidLogger equipped with the ability to collect and exfiltrate personal data from the devices.

The latest iteration of the campaign uncovered by ESET involves the app operating under the guise of a translation service. Previous covers used to disguise malicious behavior span various categories such as security, news, games, and background apps.

The app (“sarayemaghale.apk”) is distributed via a fake website that mimics Downloadmaghaleh[.]com, a legitimate website offering articles and books translated from English to Persian.

Internet security

What is notable about the latest version is that while core spyware functionality is retained, the artifact only requests permission to access contacts and restricts access to SMS messages, device locations, call logs, and clipboard data.

“The reason could be his aim to stay under the radar; on the other hand, we also believe that it could signal that it is just the preliminary phase of a spear phishing attack carried out via text messages,” Stefanko pointed out.

Despite this handicap, the furball malware in its current form can pull commands from a remote server, allowing it to collect contacts, files from external storage, a list of installed apps, basic system metadata, and synced user accounts.

Notwithstanding the reduction in active app functionality, the sample is notable for implementing a basic code obfuscation scheme, which is viewed as an attempt to overcome security barriers.

“The Domestic Kitten campaign is still active and using copycat websites to target Iranian citizens,” Stefanko said. “The operator’s goal has changed slightly, from distributing full-featured Android spyware to a lighter variety.”