Iran-Linked Android Malware Makes End Run Around AntivirusFurBall Android Malware Accesses Smartphone Contacts, Say Eset Researchers
A hacking group with ties to the Iranian government and known for domestic smartphone espionage is distributing updated Android malware in an apparent attempt to evade antivirus detection.
The malware - dubbed FurBall - is the product of a threat actor spying on Iranian citizens since 2016 known variously as Domestic Kitten or APT-C-50.
Researchers from cybersecurity firm Eset say FurBall's latest version, in circulation since June 2021, is likely an early stage of a multipart campaign to surveil Iranians. Although FurBall is programmed to potentially exfiltrate SMS messages, device location and recordings of phone calls, this variant only attempts to access smartphone contacts. Spear-phishing messages via text are the likely follow-up, Eset says in a write-up of its findings.
Very likely "they wanted to stay under the radar, gather further contacts of potential victims and possibly cherry-pick targets," Eset malware researcher Lukas Stefanko told Information Security Media Group.
Iranian state organs including the Ministry of Intelligence and Security have well-developed digital spying capabilities they deploy against perceived enemies of Tehran's theocratic and authoritarian government. Street protests have flared in Iran for years, provoking hard-line responses. Human rights activists report that security forces have killed more than 200 individuals during ongoing mass protests sparked last month by the death of a Kurdish woman at the hands of "morality" police.
FurBall's newest infection vector is a fake website mimicking a legitimate one that provides articles and books translated from English to Persian. The fake website includes a link to download a translation app that purports to be on the Google Play store. It's not; the app is downloaded directly from the attacker's server.
The malware appears to be based on a commercial stalkerware application called KidLogger. Israeli cybersecurity firm Check Point, which also tracks FurBall, wrote in 2021 that the developers likely used KidLogger source cost posted to GitHub.
Domestic Kitten coders slightly modified the app's coding by obfuscating things such as class and method names, strings, logs, and server URIs.
"Since the functionality of this variant hasn't changed, the main purpose of this update appears to be to avoid detection by security software," Stefanko, said. Only four security vendors flagged the variant as malicious, compared to the 28 vendors who detected as malicious a previous version of FurBall, Eset says.
The Slovakian company says it spotted the variant when someone uploaded a sample to VirusTotal. The variant's command-and-control server is located in Germany, Stefanko said. The variant attempts to contact the C2 server every 10 seconds through an HTTP request.