Hackers Using New Version of FurBall Android Malware to Spy on Iranian Citizens

The Iranian threat actor known as Domestic Kitten has
been attributed to a new mobile campaign that masquerades as a
translation app to distribute an updated variant of an Android
malware known as FurBall.

“Since June 2021, it has been distributed as a translation app
via a copycat of an Iranian website that provides translated
articles, journals, and books,” ESET researcher Lukas Stefanko
said^[1]
in a report shared with The Hacker News.

The updates, while retaining the same surveillance functionality
as earlier versions, are designed to evade detection by security
solutions, the Slovak cybersecurity firm added.

Domestic Kitten, also called APT-C-50, is an Iranian threat
activity cluster that has been previously identified as targeting
individuals of interest with the goal of harvesting sensitive
information from compromised mobile devices. It’s been known to be
active since at least 2016.

A tactical analysis conducted by Trend Micro in 2019 reveals
Domestic Kitten’s potential connections to another group called
Bouncing Golf^[2], a cyber espionage
campaign targeting Middle Eastern countries.

APT-C-50 has primarily singled out “Iranian citizens that could
pose a threat to the stability of the Iranian regime, including
internal dissidents, opposition forces, ISIS advocates, the Kurdish
minority in Iran, and more,” according to Check Point^[3].

Campaigns undertaken by the group have traditionally relied on
luring potential victims into installing a rogue application via
different attack vectors, including Iranian blog sites, Telegram
channels, and SMS messages.

Irrespective of the method employed, the apps act as a conduit
to deliver a piece of malware codenamed by the Israeli
cybersecurity company named Furball, a customized version of
KidLogger which comes with capabilities to gather and exfiltrate
personal data from the devices.

The latest iteration of the campaign uncovered by ESET involves
the app operating under the guise of a translation service.
Previous covers used to conceal malicious behavior span different
categories such as security, news, games, and wallpaper apps.

The app (“sarayemaghale.apk^[4]“) is delivered via a
fake website mimicking downloadmaghaleh[.]com, a legitimate site
that provides articles and books translated from English to
Persian.

What’s notable about the latest version is that while the core
spyware functions are retained, the artifact requests only one
permission to access contacts, limiting it from accessing SMS
messages, device location, call logs, and clipboard data.

“The reason could be its aim to stay under the radar; on the
other hand, we also think it might signal it is just the preceding
phase of a spear-phishing attack conducted via text messages,”
Stefanko pointed out.

Despite this handicap, the Furball malware, in its present form,
can retrieve commands from a remote server that allows it to gather
contacts, files from external storage, a list of installed apps,
basic system metadata, and synced user accounts.

The reduction in active app functionality notwithstanding, the
sample further stands out for implementing an elementary code
obfuscation scheme that’s seen as an attempt to get past security
barriers.

“The Domestic Kitten campaign is still active, using copycat
websites to target Iranian citizens,” Stefanko said. “The
operator’s goal has changed slightly from distributing
full-featured Android spyware to a lighter variant.”