Domestic Kitten: Iranian APT quietly snooping for sensitive info via malicious mobile apps for years

• Domestic Kitten leverages spyware-loaded mobile apps with fake decoy content believed to be of interest to the victim.
• The group's targets include Kurdish and Turkish natives, and ISIS supporters - all Iranian citizens.

Security researchers have detailed a new Iranian threat group dubbed Domestic Kitten that has been leveraging malicious mobile apps to spy on victims and steal sensitive information since 2016. Check Point researchers said the group's targets include Kurdish and Turkish natives, and ISIS supporters - all Iranian citizens.

The group leverages spyware-loaded mobile apps with fake decoy content believed to be of interest to the targeted victim and designed to lure them into downloading it. Some of the apps discovered by researchers included an ISIS-themed wall paper changer, an app purporting to provide "updates" from the ANF Kurdistan news agency and a fake version of the Videogram messaging app.

The malware collects a slew of valuable data from the infected device including contact lists, phone call records, SMS messages, photos, browser history and bookmarks, geo-location data and surrounding voice recordings among other information. The stolen data is then relayed to the C&C servers using HTTP POST requests. The data delivered to the servers are encrypted with the AES algorithm and can be decrypted with a device ID created by the attacker for each victim.

One of the malicious apps was observed contacting a newly registered website that initially resolved to an Iranian IP address. However, it later switched to a Russian address.

The certificate used to sign these apps was issued in 2016, researchers said. This could indicate that the cyber espionage campaign has been running under the radar since then.

Researchers believe approximately 240 users have fallen victim to Domestic Kitten's surveillance campaign so far - 97% of whom are Iranian. Besides the Iranian targets, victims from the UK, Afghanistan and Iraq were also detected. However, Check Point believes the personal information of thousands of victims has been compromised in this campaign given that the contact details, phone calls and SMS messages of victims were pilfered by the attackers.

Although the identity of the attackers behind the cyber espionage campaign is still unclear, researchers believe the operation is of Iranian origin.

"According to our discussions with intelligence experts familiar with the political discourse in this part of the world, Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, Ministry of Interior and others, frequently conduct extensive surveillance of these groups," Check Point researchers wrote in a blog post.

"Indeed, these surveillance programs are used against individuals and groups that could pose a threat to stability of the Iranian regime. These could include internal dissidents and opposition forces, as well as ISIS advocates and the Kurdish minority settled mainly in Western Iran."