A malicious Android application disguised as a mobile phone utility was recently shared with our team at CERTFA Lab. Upon analysis, we discovered this sample to be a sophisticated surveillance tool with strong indicators linking it to Domestic Kitten (APT-C-50), an Iranian state-backed hacking group associated with the Islamic Revolutionary Guard Corps (IRGC).
The APK, named "تلفن همراه" (Mobile Phone in Persian), masquerades as a legitimate phone application while secretly harvesting sensitive data from infected devices. Upon installation, the malware requests extensive permissions including access to SMS messages (with priority 999 to intercept 2FA codes before the user sees them), contacts, call logs, location data, camera, microphone, and storage. The app registers itself to start automatically on device boot and maintains persistence through a foreground service disguised as an "IoT connectivity keep-alive" function.
Based on our analysis, we assess with high confidence that this malware is linked to Domestic Kitten/APT42, an IRGC-affiliated threat actor that has been conducting surveillance operations against Iranian citizens since at least 2016. Key attribution indicators include:
- Firebase-based C2 infrastructure (consistent with Domestic Kitten TTPs since 2018)
- Persian language targeting (Iran Sans fonts embedded, Persian app name)
- SMS interception with maximum priority (signature technique for 2FA bypass)
- Sophisticated obfuscation patterns matching previous Domestic Kitten samples
- Targeting profile consistent with surveillance of diaspora and activists
While we cannot confirm specific targeting at this time, Domestic Kitten operations historically focus on:
- Iranian citizens, particularly ethnic minorities (Kurds, Baluchis, Azerbaijanis)
- Political dissidents and opposition figures
- Journalists and human rights activists
- Members of the Iranian diaspora
- Individuals associated with organizations critical of the Iranian government
Recommendations
In order to protect yourself against these attacks, we strongly recommend:
- Never install APKs from unknown sources, messaging apps, or links shared via SMS/email
- Enable Google Play Protect on your Android device
- Review installed applications for any Persian-language apps you don't recognize
- Use hardware security keys for two-factor authentication where possible
- Consider using a separate device for sensitive communications if you are at high risk
If you believe you may have installed this malware, factory reset your device immediately and change passwords for all accounts accessed from that device.
IOCs:
948ebd03f2fd271a04bce9b5fe32061a284ac6b39c5da633437432cbffacd1d3 com.chvi.pool