Analysts at ESET have found a new Android malware variant dubbed FurBall being used to target and spy on Iranian citizens. The spyware’s deployment is likely an extension of the wider Domestic Kitten campaign launched by the threat actor APT-C-50. Although the spyware has undergone some new scripts and changes, the basic functionality matches that used by the APT-C-50 group and much remains unchanged from previous versions. The spyware is delivered via a malicious app that claims to offer Iranian translations of books and magazines.
The campaign targeting Iranian civilians was first identified in 2016. ESET found that the sample it obtained requests to access a target’s contacts. This is likely an attempt to stay under the radar, or it could indicate that this is just the initial phase of the attack and that spearphishing attempts would come later via text messages. If attackers expand the app’s permissions, they would be able to spy on additional data such as location information, text messages, voice calls, and more.