top of page

ESET discovers new version of spyware

targeting Iranian citizens, Furball, hidden in translation app

ESET researchers recently identified a new version of Android FurBall malware used in a “Domestic Kitten” campaign.

The latter dates back to at least 2016 and is still active.

It mainly targets Iranian citizens.

We discovered a new obfuscated sample of Furball for Android

This sample is disseminated from a fake site

The analyzed sample has restricted spying functionality in an attempt to evade detection.

Researchers from ESET, Europe's leading publisher of security solutions, have recently identified a new version of the Android FurBall malware. This version is used in a campaign called Domestic Kitten. The APT-C-50 hacker group operates surveillance actions targeting the smartphones of Iranian citizens. Since June 2021, the malware has been distributed under the guise of a translation application through a copy of an Iranian website providing translated articles, journals and books. The Domestic Kitten campaign dates back to at least 2016 and is still active.

This version of FurBall has the same monitoring features as previous versions. Since the functionality of this variant has not changed, the main purpose of this update seems to be to evade security software. These changes, however, had no effect on ESET solutions, which detected this threat as Android/Spy.Agent.BWS. FurBall,. This Android malware, used since the beginning of these campaigns, was created from the commercial stalkerware KidLogger.

The analyzed sample requires only one intrusive permission; access to contacts. The reason could be its aim to avoid detection, but on the other hand, we also believe that it could be the preliminary phase of a targeted phishing attack carried out by SMS. If the threat actor expands the permissions of the app, it might also be possible to exfiltrate other types of data from the affected phones, such as text messages, device geolocation, phone calls and even more.

“This malicious Android application is distributed via a fake website that imitates a legitimate site that offers articles and books translated from English to Persian ( According to the contact details of the legitimate website, this service is offered from Iran, which leads us to believe with near certainty that the fake website is targeting Iranian citizens,” says Lukáš Štefanko, researcher at ESET who discovered the malware.

“The goal is to offer an Android application to download after clicking on a button that says in Persian “Download the application”. The button has the Google Play logo, but this app is not available in Google Play Store. It is downloaded directly from the attacker's server,” adds Štefanko.

1 view0 comments


bottom of page