ESET researchers say they recently identified a new version of the Android malware FurBall being used in a Domestic Kitten campaign conducted by the APT-C-50 group. The Domestic Kitten campaign is known to conduct mobile surveillance operations against Iranian citizens, and this new FurBall version is no different in its targeting. Since June 2021, it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books. The Domestic Kitten campaign is still ongoing, dating back to at least 2016.
This version of FurBall has the same surveillance functionality as previous versions. Since the functionality of this variant hasn’t changed, the main purpose of this update appears to be to avoid detection by security software. These modifications have had no effect on ESET software, however; ESET products detect this threat as Android/Spy.Agent.BWS. FurBall – Android malware used in this operation since these campaigns began – is created based on the commercial stalkerware tool KidLogger.
The analyzed sample requests only one intrusive permission – to access contacts. The reason could be its aim to stay under the radar; on the other hand, we also think it might signal it is just the preceding phase, of a spearphishing attack conducted via text messages. If the threat actor expands the app permissions, it would also be capable of exfiltrating other types of data from affected phones, such as SMS messages, device location, recorded phone calls, and much more.
“This malicious Android application is delivered via a fake website mimicking a legitimate site that provides articles and books translated from English to Persian (downloadmaghaleh.com). Based on the contact information from the legitimate website, they provide this service from Iran, which leads us to believe with high confidence that the copycat website targets Iranian citizens,” says ESET researcher Lukáš Štefanko, who discovered the malware.
“The purpose of the copycat is to offer an Android app for download after clicking on a button that says, in Persian, ‘Download the application’. The button has the Google Play logo, but this app is not available from the Google Play store; it is downloaded directly from the attacker’s server,” he adds.