Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

Iran-Linked Android Malware Makes End Run Around Antivirus

FurBall Android Malware Accesses Smartphone Contacts, Say Eset Researchers
Iran-Linked Android Malware Makes End Run Around Antivirus
An outline of Iran (Image: iStock)

A hacking group with ties to the Iranian government and known for domestic smartphone espionage is distributing updated Android malware in an apparent attempt to evade antivirus detection.

See Also: 5 Ways Exabeam Helps Eliminate Compromised Credential Blindspots

The malware - dubbed FurBall - is the product of a threat actor spying on Iranian citizens since 2016 known variously as Domestic Kitten or APT-C-50.

Researchers from cybersecurity firm Eset say FurBall's latest version, in circulation since June 2021, is likely an early stage of a multipart campaign to surveil Iranians. Although FurBall is programmed to potentially exfiltrate SMS messages, device location and recordings of phone calls, this variant only attempts to access smartphone contacts. Spear-phishing messages via text are the likely follow-up, Eset says in a write-up of its findings.

Very likely "they wanted to stay under the radar, gather further contacts of potential victims and possibly cherry-pick targets," Eset malware researcher Lukas Stefanko told Information Security Media Group.

Iranian state organs including the Ministry of Intelligence and Security have well-developed digital spying capabilities they deploy against perceived enemies of Tehran's theocratic and authoritarian government. Street protests have flared in Iran for years, provoking hard-line responses. Human rights activists report that security forces have killed more than 200 individuals during ongoing mass protests sparked last month by the death of a Kurdish woman at the hands of "morality" police.

Malware Functionality

FurBall's newest infection vector is a fake website mimicking a legitimate one that provides articles and books translated from English to Persian. The fake website includes a link to download a translation app that purports to be on the Google Play store. It's not; the app is downloaded directly from the attacker's server.

The malware appears to be based on a commercial stalkerware application called KidLogger. Israeli cybersecurity firm Check Point, which also tracks FurBall, wrote in 2021 that the developers likely used KidLogger source cost posted to GitHub.

Domestic Kitten coders slightly modified the app's coding by obfuscating things such as class and method names, strings, logs, and server URIs.

"Since the functionality of this variant hasn't changed, the main purpose of this update appears to be to avoid detection by security software," Stefanko, said. Only four security vendors flagged the variant as malicious, compared to the 28 vendors who detected as malicious a previous version of FurBall, Eset says.

The Slovakian company says it spotted the variant when someone uploaded a sample to VirusTotal. The variant's command-and-control server is located in Germany, Stefanko said. The variant attempts to contact the C2 server every 10 seconds through an HTTP request.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.