Sophisticated Version of Android Spyware

Researchers at ESET found a new version of the Android malware ‘FurBall’ targeting Iranian citizens in mobile surveillance campaigns conducted by the Domestic Kitten hacking group, also called APT-C-50.

Earlier in June 2021, reports say it has been distributed as a translation app via a copycat of an Iranian website that provides translated articles, journals, and books.


ESET researchers mention that this new version has many similarities with earlier versions, but at present, it comes with obfuscation and C2 updates.

Domestic Kitten, also called APT-C-50, is an Iranian threat activity cluster that has been previously identified as targeting individuals of interest with the goal of harvesting sensitive information from compromised mobile devices. It’s been known to be active since at least 2016.

In 2019, Trend Micro identified a malicious campaign, possibly connected to Domestic Kitten, targeting the Middle East, naming the campaign Bouncing Golf.

“Iranian citizens that could pose a threat to the stability of the Iranian regime, including internal dissidents, opposition forces, ISIS advocates, the Kurdish minority in Iran, and more”, Check Point.

FurBall Android Malware

In this campaign, FurBall android malware was created based on the commercial stalkerware tool KidLogger. Check Point says that “the FurBall developers were inspired by the open-source version from seven years ago that is available on GitHub”.

FurBall is distributed via fake websites that are replicas of real ones, where victims end up after direct messages, social media posts, emails, SMS, black SEO, and SEO poisoning.

“This malicious Android application is delivered via a fake website mimicking a legitimate site that provides articles and books translated from English to Persian”, ESET Researchers.

Researchers say the purpose of the copycat is to put forward an Android app for download after clicking on a button that says, in Persian, “Download the application”.

Fake site on the left, real site on the right
Fake site on the left, real site on the right

In the fake version, there’s a Google Play button that allegedly lets users download an Android version of the translator, however instead of landing on the app store, they are sent an APK file named ‘sarayemaghale.apk.’.

Hence, if the threat actor expands the app permissions, it would also be capable of exfiltrating:

  • text from the clipboard,
  • device location,
  • SMS messages,
  • contacts,
  • call logs,
  • recorded phone calls,
  • text of all notifications from other apps,
  • device accounts,
  • list of files on the device,
  • running apps,
  • list of installed apps, and
  • device info.

Based on the sample it analyzed has limited functionality, only requesting access to contacts and storage media.

Permissions requested upon installation
Permission requested upon installation

Upon installation, Furball makes an HTTP request to its C&C server every 10 seconds, asking for commands to execute.

C2 response returning no command
C2 response returning no command for execution

Therefore, researchers say obfuscation can be spotted in class names, method names, some strings, logs, and server URI paths.

 “The Domestic Kitten campaign is still active, using copycat websites to target Iranian citizens. The operator’s goal has changed slightly from distributing full-featured Android spyware to a lighter variant”, ESET researchers.

Cyber Attack with Zero Trust Networking – Download Free E-Book

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.