Earlier in June 2021, reports say it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books.
ESET researchers mention that this new version has many similarities with earlier versions, but at present, it comes with obfuscation and C2 updates.
Domestic Kitten, also called APT-C-50, is an Iranian threat activity cluster that has been previously identified as targeting individuals of interest with the goal of harvesting sensitive information from compromised mobile devices. It’s been known to be active since at least 2016.
Hence, if the threat actor expands the app permissions, it would also be capable of exfiltrating:
- text from the clipboard,
- device location,
- SMS messages,
- call logs,
- recorded phone calls,
- text of all notifications from other apps,
- device accounts,
- list of files on the device,
- running apps,
- list of installed apps, and
- device info.
Based on the sample it analyzed has limited functionality, only requesting access to contacts and storage media.
Upon installation, Furball makes an HTTP request to its C&C server every 10 seconds, asking for commands to execute.
Therefore, researchers say obfuscation can be spotted in class names, method names, some strings, logs, and server URI paths.
“The Domestic Kitten campaign is still active, using copycat websites to target Iranian citizens. The operator’s goal has changed slightly from distributing full-featured Android spyware to a lighter variant”, ESET researchers.