An Iranian hacker group spies on their own compatriots with the help of a manipulated app. FurBall spyware, disguised as a translation app, is targeting Iranian citizens.
Anyone who downloads apps onto their Android smartphone or tablet should have security software installed if possible. Especially when the desired translation app turns out to be a spy tool - and suddenly personal data changes hands. This is exactly what is currently happening in Iran, according to researchers at the IT security manufacturer ESET.
APT-C-50 Group Domestic Kittens
Apparently, the Iranian APT-C-50 group "Domestic Kitten" is running such a campaign. It hides a new version of the Android malware FurBall in a translation app. This collects a large amount of information from the affected device and sends it back to the hacker gang. ESET researchers have subjected the app to a detailed analysis.
"To what extent the current version of FurBall is related to the unrest in Iran is not clear. But it is a strange coincidence that a local hacker group, which is said to be close to those in power, is now again illegally distributing surveillance software on a large scale,” says Thorsten Urbanski, security expert at ESET Germany. "Domestic Kitten is known for conducting mobile surveillance operations against Iranian citizens and has been doing so since at least 2016."
"Classic" distribution
However, the APT group is not particularly imaginative in its campaign. She posted a copy of a well-known Iranian website (www.downloadmaghaleh.com) that offers translations of articles, magazines and books from English into Persian. As an additional "service", a translation app is offered that can be downloaded by clicking on the illegally used Google Play logo. Of course, the software is not downloaded from the official Google Play Store, but directly from the cyber criminals' servers.
Based on the contact information on the legitimate website, this service is offered from Iran. This fact suggests that the fake website is targeting Iranian citizens.
Well-known functions
This new version of FurBall has the same monitoring features as previous ones. Since the functionality of this variant has not changed, the main purpose of this update seems to be to evade detection by security software. However, the changes do not affect ESET products, they detect this threat as Android/Spy.Agent.BWS. FurBall. The Android malware was created based on the commercial stalkerware tool KidLogger.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.