Skip to content

Iranian hacking group updates Android malware to target citizens

  • by
  • 3 min read

APT-C-50 (Domestic Kitten), is an Iranian state-backed hacking group that has developed a new version of the Furball Android malware to spy on citizens in a mass-surveillance operation active since at least 2016. 

This new version was sampled and analysed by ESET researchers. Reports suggest that while the two versions are functionally similar, the newer one has obfuscation features and C2 updates. Previous versions of the malware didn’t feature any obfuscation at all, meaning the malware was flagged by as many as 28 AV engines. The newer version was only caught by four AV engines on VirusTotal. 

Distribution is handled by fake or imposter websites. Victims are led here by DMs, social media posts, spam emails and SMSs as well as SEO poisoning. These websites then point to an app download page, which instead of taking users to the Google Play Store to download the real app, just downloads the APK file locally instead. 

The fake website distributing the malware (left) vs the real website (right). | Source: ESET

Once installed, depending on what permissions the app asks for the spyware can steal the following information from the target device. 

  • Call logs
  • Contact lists
  • Notification content
  • Clipboard content
  • SMS
  • Call recordings
  • Installed and ran apps
  • Device information and accounts

The sample that ESET analysed was posing as an imposter translation app and only requested access to contacts and storage media. That said, these permissions are still powerful and at least in the case of the ESET sample, won’t really raise suspicion, which could be why the group restricted the spyware. 

HTTP POST requests sent to the C2 server. | Source: ESET

Furball can also take commands from the remote command and control server, which it contacts via HTTP requests every 10 seconds. Thanks to the new obfuscation layer that Domestic Kitten has added, class names, strings, logs and even server URI paths are all hidden to evade detection from antivirus tools. 

In the News: Google releases Andrioid 13 G0; requires more system power to run

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: