Iranian state-sponsored threat group Domestic Kitten, also known as APT-C-50, has deployed the updated FurBall Android spyware
in mobile surveillance campaigns targeted at Iranian citizens, BleepingComputer
Despite having many similarities with prior versions, the new FurBall malware includes obfuscation and command-and-control updates, according to an ESET report.
Fraudulent sites impersonating legitimate ones have been leveraged by Domestic Kitten to spread the updated spyware, which has the capability to steal device location, SMS messages, clipboard contents, contact list, call logs, notification contents, device info, and installed and running apps. While the malware sample obtained by ESET only required contacts and storage media access, it could directly retrieve executable commands from its C2 server.
The report also showed that class names, logs, strings, and server URI paths have been added to FurBall's new obfuscation layer. Such an obfuscation layer has made the updated spyware detectable by only four antivirus engines on VirusTotal, compared with the older version being identified by 28 AV engines.