APT-C-50 (Domestic Kitten), is an Iranian state-backed hacking group that has developed a new version of the Furball Android malware to spy on citizens in a mass-surveillance operation active since at least 2016.
This new version was sampled and analysed by ESET researchers. Reports suggest that while the two versions are functionally similar, the newer one has obfuscation features and C2 updates. Previous versions of the malware didn’t feature any obfuscation at all, meaning the malware was flagged by as many as 28 AV engines. The newer version was only caught by four AV engines on VirusTotal.
Distribution is handled by fake or imposter websites. Victims are led here by DMs, social media posts, spam emails and SMSs as well as SEO poisoning. These websites then point to an app download page, which instead of taking users to the Google Play Store to download the real app, just downloads the APK file locally instead.
Once installed, depending on what permissions the app asks for the spyware can steal the following information from the target device.
- Call logs
- Contact lists
- Notification content
- Clipboard content
- Call recordings
- Installed and ran apps
- Device information and accounts
The sample that ESET analysed was posing as an imposter translation app and only requested access to contacts and storage media. That said, these permissions are still powerful and at least in the case of the ESET sample, won’t really raise suspicion, which could be why the group restricted the spyware.
Furball can also take commands from the remote command and control server, which it contacts via HTTP requests every 10 seconds. Thanks to the new obfuscation layer that Domestic Kitten has added, class names, strings, logs and even server URI paths are all hidden to evade detection from antivirus tools.
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.