blog posts

Warning Of Security Researchers: Furball Malware Has Been Monitoring The Phones Of Iranian Users Since June 1400

Warning Of Security Researchers: Furball Malware Has Been Monitoring The Phones Of Iranian Users Since June 1400

In A Shocking Report, A Group Of Security Researchers Have Announced An Attempt To Monitor The Phones Of Iranians Through Malware. This Malware Is Distributed In The Form Of English To Farsi Translation Application.

ESET security researchers have managed to identify a new version of the FurBall Android malware, which they claim was used by the APT-C-50 hacker group in a campaign called Domestic Kitten.

The Domestic Kitten campaign made headlines due to mobile surveillance operations on Iranian citizens. According to the WeLiveSecurity news agency, the new version of FurBall has targeted Iranians again.

Researchers say that the FurBall malware has been distributed since June 2021 (Khordad and July 1400) as a translation application through a copied version of one of the Iranian websites.

The main website, headquartered in Tehran’s Revolution Square, offers “translated articles, magazines, and books” to its users. The application containing the FurBall malware was uploaded to the VirusTotal website, and security researchers were able to begin analyzing it using special tools.

According to WeLiveSecurity’s claim, the new version of the FurBall malware, like the previous versions, is designed to monitor users’ devices. Still, the developers have made changes to it to make it harder for researchers to identify it.

It is said that despite the changes, the ESET antivirus service was still able to detect the application containing FurBall as a virus.

The app reviewed by the researchers only requested access to the phone’s contact list, A policy that seems to have been adopted not to detect malware. Researchers say this feature of the new version of FurBall may be the first stage of a broader attack via SMS.

Suppose the malware developer expands the application permissions. In that case, the possibility of extracting other types of data such as clipboard text, SMS textdevice locationcontact listrecorded voice callsreader of all notifications from other applicationsuser accounts on the devicelist of all files On the devicerunning applications, list of installed applications and phone information are provided.

Unknown hacker in a hoodie standing with his head down with his hands in his pockets

More worryingly, if the malware’s permissions are extended, the app can receive commands to take photos and record videos. Pictures and videos are then uploaded directly to the server. Researchers say that the version installed by Iranian users can still receive commands from the server. Still, in normal mode, it can only do little things: extract contact list, access files in external storage memory, access list of installed applications, get basic information about the phone, and list o,f user accounts on the device.

After being installed on the phone, the FurBall malware communicates with its server every 10 seconds and requests to receive a command. Experts say that the new version of FurBall does not have any new features compared to the previous versions, except for changes in the code.

The hacker group APT-C-50 has been trying to monitor Iranian users’ smartphones since at least 2016 in the form of the Domestic Kitten campaign. In 2018, the Check Point Institute published a vital report focusing on this campaign.

A year later, the Trend Micro Institute identified similar malware targeting the Middle East in Bouncing Golf’s campaign.

In 2020 and 2021, there were separate reports about the FurBall malware. At the time, the campaign was said to have ties to Domestic Kitten. Later that year, Qianxin claimed that the Domestic Kitten campaign was once again attacking Iranian users.

FurBall is an Android malware that has been used since the first attacks in the Domestic Kitten campaign and is based on the commercial tool KidLogger. The developers of FurBall are said to have been inspired by the open-source version of KidLogger that was available seven years ago.

Experts say that the application containing FurBall was distributed through a copied version of one of the Iranian websites. More precisely, it is said that the Android version of the application is downloaded to the user’s smartphone after clicking the “Download Application” button. The Google Play logo can be seen on the download option, but there is no news of transfer to Google Play after clicking on it.

Experts say that the new version of FurBall shows that, contrary to what some people think, the Domestic Kitten campaign is still active and targets Iranians. This time, the person or group responsible for this campaign distributes a modified version with more limited capabilities to the phones instead of distributing all-purpose malware.

We recommend you always install an antivirus on your phone and all your devices. Also, apart from official stores such as App Store and Google Play, do not download the applications you want from anywhere else.