Iranian APT39 Uses Android Malware for Domestic Surveillance
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Malware,Spyware
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
The ReversingLabs analysis, based on an FBI report, reveals that the Iranian-backed APT39 (Rana Corp) is using Android malware for state-sponsored surveillance, primarily targeting individuals deemed a threat by the Iranian government. The malware exploits smartphone features such as the camera and microphone to spy on users. It can intercept SMS, record audio, take photos and manipulate network connections. Obfuscation techniques were used, but analysis of an older sample revealed key capabilities for remote monitoring and control. The malware specifically monitors Iranian messaging apps, suggesting domestic surveillance. Targeted sectors include political dissidents and individuals of interest within Iran.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Human Rights | High |
| Sector | Journalists | High |
| Sector | Pro-Democracy | High |
| Region | Iran | Verified |
Extracted IOCs
- 100ostad[.]ir
- ccloudflare[.]com
- chembook[.]ir
- ctci[.]ir
- elfdomainone[.]com
- facedomainpc[.]com
- facedomaintv[.]com
- fullplayersoftware[.]com
- irchemistry[.]com
- irchemistry[.]net
- ktci[.]ir
- lifedomainwar[.]com
- milanionline[.]ir
- sadostad[.]com
- sadostad[.]ir
- softwareplayertop[.]com
- wherisdomaintv[.]com
- whoisdomainpc[.]com
- 28fa9354be6ce503ee7c1f7615a26cdd99d7b801
- c2694dae46fd2846368731d92e810f32c2c9a2f9
- c552f74bf23211428b7fab141a72db9073a98729
Tip: 21 related IOCs (0 IP, 18 domain, 0 URL, 0 email, 3 file hash) to this threat have been found.