Hacking group updates Furball Android spyware to evade detection

A new version of the 'FurBall' Android spyware has been found targeting Iranian citizens in mobile surveillance campaigns conducted by the Domestic Kitten hacking group, also known as APT-C-50.

The spyware is deployed in a mass-surveillance operation that has been underway since at least 2016. In addition, multiple cybersecurity firms have reported on Domestic Kitten, which they believe is an Iranian state-sponsored hacking group.

The newest FurBall malware version was sampled and analyzed by ESET researchers, who report it has many similarities with earlier versions, but now comes with obfuscation and C2 updates.

Also, this discovery confirms that 'Domestic Kitten' is still ongoing in its sixth year, which further backs the hypothesis that the operators are tied to the Iranian regime, enjoying immunity from law enforcement.

New FurBall details

The new version of FurBall is distributed via fake websites that are visually clones of real ones, where victims end up after direct messages, social media posts, emails, SMS, black SEO, and SEO poisoning.

In one case spotted by ESET, the malware is hosted on a fake website mimicking an English-to-Persian translation service popular in the country.

In the fake version, there’s a Google Play button that supposedly lets users download an Android version of the translator, but instead of landing on the app store, they are sent an APK file  named ‘sarayemaghale.apk.’.

Depending on what permissions are defined in the Android app's AndroidManifest.xml file, the spyware is capable of stealing the following information:

• Clipboard contents
• Device location
• SMS messages
• Contact list
• Call logs
• Record calls
• Content of notifications
• Installed and running apps
• Device info

However, ESET says that the sample it analyzed has limited functionality, only requesting access to contacts and storage media.

These permissions are still powerful if abused, and at the same time, won't raise suspicions to the targets, which is likely why the hacking group restricted FurBall's potential.

If needed, the malware can receive commands to execute directly from its command and control (C2) server, which is contacted via an HTTP request every 10 seconds.

In terms of the new obfuscation layer, ESET says it includes class names, strings, logs, and server URI paths, attempting to evade detection from anti-virus tools.

Previous versions of Furball didn’t feature any obfuscation at all. Hence, VirusTotal detects the malware on four AV engines, whereas previously, it was flagged by 28 products.