A new campaign tied to an updated variant of the FurBall Android malware has been attributed to the threat group Domestic Kitten, also known as APT-C-50. Domestic Kitten has been active since at least 2016 and has been tied to the Iranian government in the past. The group has been primarily concerned with targeting those critical of the Iranian regime, such as internal dissidents, opposition forces, and ISIS advocates.
In this latest campaign, the group disguises their malware as a translation app that resides on a phishing page disguised to be a copy of an Iranian website that provides translated articles, journals, and books. This follows methods undertaken by the group historically, which typically involved deploying a rogue application via Iranian blog sites, Telegram channels, and SMS messages. In many of these campaigns, the group has deployed different variants of the FurBall malware, which is a customized version of KidLogger that comes with capabilities to gather and exfiltrate data. This new variant of Furball differs from previous variants in that it contains an elementary code obfuscation scheme to bypass security barriers. This variant also only requests permission to access contacts, despite it being able to retrieve commands from a remote server that allows it to gather files from external storage as well as list installed apps, basic system metadata, and synced user accounts.
The latest campaign by Domestic Kitten not only highlights the rise of using phishing as an initial attack vector, but also the growing mobile malware market. This form of malware should be on the radar of every enterprise, especially ones with Bring-Your-Own-Device (BYOD) policies, as there are limited ways for an employer to monitor their employees’ mobile devices. With the growing threat of malware targeting mobile devices, it is becoming more and more likely that a company’s employee may have their own device compromised. While these Domestic Kitten campaigns primarily focused on harvesting personal data from Iranian regime dissidents, a different form of malware can be loaded just as easily, which then increases the risk of compromise. With this is mind, the best step to take as an organization would be to only allow company information on corporate devices. Additionally, user education is imperative to ensure a strong security posture.