Security researchers have discovered a new mobile malware campaign targeting Iranian citizens as well as evidence that the Iranian government might be behind the operation.
According to a blog post by researchers at Check Point Software, Domestic Kitten is targeting both ISIS supporters and Kurdish groups in the north of the country, as well as internal dissidents and opposition forces.
Nation state hackers have created fake Android apps to lure potential victims. These include ISIS branded wallpaper changer, "updates" from the ANF Kurdistan news agency and a fake version of the messaging app, Vidogram.
"Due to the names and content that is offered by the above-mentioned applications then, we are lead to believe that specific political groups and users, mainly ISIS supporters and the Kurdish ethnic group, are targeted by the operation," said researchers.
Once a victim downloads and installs a fake app, it collects information form a device such as SMS/MMS messages, phone calls records, contacts list, browser history and bookmarks
external storage, application list, clipboard content, and geo-location and camera photos. It also collects voice recordings.
This information is the put in an AES-encrypted zip file and sent back to a C&C server.
Researchers said that around 240 users have so far fallen victim to this surveillance campaign.
"In addition, due to careful documentation of the campaign by its creators showed we were able to learn that over 97 percent of its victims are Iranian, consistently aligning with our estimation that this campaign is of Iranian origin," said researchers. They also found evidence of victims from Afghanistan, Iraq and the UK.
The number of victims could be much higher as the full contact list stored in each victim’s mobile device, including full names and at least one of their phone numbers, was also harvested by the attackers.
"In addition, due to phone calls, SMS details, as well as the actual SMS messages, also recorded by the attackers, the private information of thousands of totally unrelated users has also been compromised," said researchers.
Researchers said that while the exact identity of the actor behind the attack remains unconfirmed, their observations led them to believe that the operation was of Iranian origin.
"In fact, according to our discussions with intelligence experts familiar with the political discourse in this part of the world, Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, Ministry of Interior and others, frequently conduct extensive surveillance of these groups," said researchers.
Andy Norton, director of threat intelligence at Lastline, told SC Media UK that Iran has a well-developed and utilised cyber-warfare capability. The focus of this campaign is perceived domestic threats to the existing Iranian regime.
"Deception plays a big part in compromising target systems, and this method of infection is common across the targets of Iranian interest, whether they be domestic or foreign campaigns," he said.
"The most important aspect to address is to recognise the nature of asynchronous warfare. Once organisations cognitively recognise they are under attack, they raise their game and introduce behavioural intelligence to address the deception techniques; Targeting the human victim and AI based analytics to aid cyber-resources to find the real threat in the signals contained in big data."
Joseph Carson, chief security scientist at Thycotic, told SC Media UK that organisations can defend against such attacks by educating employees on being more cautious about the applications they install on their mobile devices.
"For example, if they are corporate-owned devices, they can protect and manage them using a Mobile Device Management solution that will limit the applications that can be installed. So far, only a small number of devices have been targeted and infected but the lesson we can learn from this is to always ensure you are installing mobile applications from legitimate trusted sources," he said.