A mobile spyware campaign against mainly Iranian citizens has been spotted – with evidence that the Iranian government might be involved.

The operation is dubbed Domestic Kitten by Check Point researchers — “kitten” to follow common APT nomenclature for Iranian groups and “domestic” because they believe the group is affiliated with the Iranian government, targeting Iranian citizens. The campaign mainly targets ISIS supporters and members of the Kurdish ethnic group residing with Iran — two groups that Tehran regards as hostile to its interests.

The threat actor takes a watering-hole approach, using carefully crafted fake Android apps to attract victims of interest. These include an ISIS-branded wallpaper app, a news updates app purporting to be from the legitimate ANF Kurdistan news agency, and a fake version of the Vidogram messaging app.

“Those behind the attack use fake decoy content to entice their victims to download such applications, which are in fact loaded with spyware, to then collect sensitive information about them,” Check Point analysts noted in a research brief.

So far, about 240 users have fallen victim to the surveillance, Check Point found – and 97 percent of its victims are Iranian. There are also a handful of victims from Afghanistan, Iraq and Great Britain.

“While the number of victims [is limited], the number of people affected by this operation is actually much higher,” the researchers noted. “This is due to the fact that the full contact list stored in each victim’s mobile device, including full names and at least one of their phone numbers, was also harvested by the attackers. In addition, due to phone calls, SMS details, as well as the actual SMS messages, also recorded by the attackers, the private information of thousands of totally unrelated users has also been compromised.”

Malware Analysis

Once an app is downloaded and the malware is installed, it picks up contact lists stored on the victim’s mobile device, phone call records, SMS messages, browser history and bookmarks, geo-location of the victim, external storage, photos, surrounding voice recordings and more.

Then, it loads the information into an AES-encrypted Zip archive file and sends it back to the command-and-control servers using HTTP POST requests. This is an on-demand process that’s carried out when the attackers send a command, such as “Get Contacts.”

All of the applications use the same certificate, issued back in 2016, and are affiliated with the same email address (telecom2016[@]yahoo [.] com). They also all use a misspelled package name (andriod.browser).

“Interestingly, the log documentation includes the name of the malicious application used to intercept the victims’ data, as well as an Application Code Name field,” the researchers said. “This field includes a short description of the app, which leads us to believe that this is a field used by the attackers to instantly recognize the application used by the victim. Observed code names include Daesh4 (ISIS4), Military News, Weapon2, Poetry Kurdish.”

As for attribution, the researchers said that they believe Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, Ministry of Interior or others, are behind the espionage.

“While the exact identity of the actor behind the attack remains unconfirmed, current observations of those targeted, the nature of the apps and the attack infrastructure involved leads us to believe this operation is of Iranian origin,” the researchers said. “In fact, according to our discussions with intelligence experts familiar with the political discourse in this part of the world, [the government] frequently conducts extensive surveillance of these groups.”