Hackers Use New Sophisticated Version of Android Spyware to Conduct Mobile Surveillance

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing
Researchers at ESET found a new version of the Android malware ‘FurBall’ targeting Iranian citizens in mobile surveillance campaigns conducted by the Domestic Kitten hacking group, also called APT-C-50.

Earlier in June 2021, reports say it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books.

ESET researchers mention that this new version has many similarities with earlier versions, but at present, it comes with obfuscation and C2 updates.

Domestic Kitten, also called APT-C-50, is an Iranian threat activity cluster that has been previously identified as targeting individuals of interest with the goal of harvesting sensitive information from compromised mobile devices. It’s been known to be active since at least 2016.

Fake site on the left, real site on the right
In the fake version, there’s a Google Play button that allegedly lets users download an Android version of the translator, however instead of landing on the app store, they are sent an APK file named ‘sarayemaghale.apk.’.

Hence, if the threat actor expands the app permissions, it would also be capable of exfiltrating:

  • text from the clipboard,
  • device location,
  • SMS messages,
  • contacts,
  • call logs,
  • recorded phone calls,
  • text of all notifications from other apps,
  • device accounts,
  • list of files on the device,
  • running apps,
  • list of installed apps, and
  • device info.

Based on the sample it analyzed has limited functionality, only requesting access to contacts and storage media.

Permission requested upon installation

Upon installation, Furball makes an HTTP request to its C&C server every 10 seconds, asking for commands to execute.

C2 response returning no command for execution

Therefore, researchers say obfuscation can be spotted in class names, method names, some strings, logs, and server URI paths.

“The Domestic Kitten campaign is still active, using copycat websites to target Iranian citizens. The operator’s goal has changed slightly from distributing full-featured Android spyware to a lighter variant”, ESET researchers.