Malware Made for Iranians: New Malware ‘Corrupt Kitten’ Used to Spy on Iranians

In this time when so many enemies are waging soft war against innocent Iranians using many excuses, Iranians expect the government of the Islamic Republic to protect them against this. An investigation by Iranian Cyber News Agency in collaboration with a source, has reached this shocking conclusion that instead of protecting citizens, the Iranian government or military is actively using advanced malware to spy on and attack them.

Iran Cyber News Agency investigation has discovered more evidence of attacks involving malware against Iranian citizens. Most importantly, it appears the Iranian government could be itself responisble for these attacks against its own people. ICNA’s source, a member of a prominent hackticist group who did not want his name written, was able to access a server hosting the control panel of the malware. This informed source said the malware has ‘advanced capability, it is widespread and very intrusive’. When it has been installed on a victims device it can access their contacts, files and photos, browser history, SMS messages and recorded audio and location. However the capabilities of the malware was not limited to just stealing data but also gave the attacker the ability to take control of their victim’s device as well.

Stolen Photo of a Bank Transfer

ICNA was given samples to prove these claims and ICNA reached this conclusion that the sophisitication of the malware means only the government or military could have created it. At the same time the log files collected prove that it was operated from inside Iran.

The targets of the attacks appear to be Iranian, which we can see by this photo found in the data of a passport of an individual who was born in Iran.

Stolen photo of passport of a person born in Iran

This is the latest in a series of Iranian Android malware exposures, including those previously reported on by ICNA. The source has named this campaign Corrupt Kitten following the style set by other malware researchers like those reported on previoulsy.

The attackers are able to access device and software info, and list all the apps the victim has installed on their phone. They can upload browser history, giving them ability to see all of the websites that the victim visits and look at their habits and interests. They have the ability to live stream any activity on the phone to the attacker. They are also able to list stored contacts – giving them contact details for the victim’s friends and family and business associates.

The malware lets the attacker access a list of recieved, missed and outgoing calls for the victim’s device. They can even record calls made or received on the victim’s communications. SMS content included messages about hospital appointments and treatments, good or bad relationship with family members, travel dates and locations informing attackers when the victim would be away from home, discussion of political meetings, applications for visa and allegiance to various groups.

Most interestingly and possibly of more concern to those victim to the attack is that the attackers could also send an SMS message from the victim’s phone. This could give the attacker ability to impersonate the victim and send malicious messages in his name, or tricking someone else to doing something if they beleive the message came from the actual owner of the device. They could even attach private images from the victim’s device photos and send them to contacts. This could easily be used to blackmail the victim or destroy their reputation

Iranian telephone numbers with recorded calls

Also files are fully accesible and attackers can upload a file from a victim’s device to their servers and gain complete access to the content. This gives them ability to access images and audio that are sent through apps such as Whatsapp, Telegram, Viber and Facebook. Although these apps encrypt messages in transit, they are stuill accessible for the attacker as they are not encrypted when they are saved on the device. It is also worrying that, they can download files onto the victim’s device and delete files – which could be used to plant fake imcriminating evidence or delete important user data.

Telegram screenshot stolen from victims

WhatsApp screenshot stolen from victims

The attackers can use the malware to inform them of the connectivity state – whether it is connected to the internet by GSM or wifi. These information help them to decide when they can transfer large files off the device. The attackers can also see the device locaton by the cell tower it is connected to or by much more accurate readings of GPS coordinates. With montioring this location information the attacker can monitor the victims travel movements and predict regular journeys, tracking where an individual is at every moment. they can also toggle bluetooth, mobile data and wifi off and on so they have the ability to interupt the victims by cutting them off from the internet at a sensitive time.

Most intrusively the attackers can determine whether the screen is currently on or off, so they know when the victim is not actively using the deivce. At this time, they can spy on what the victim is doing in the physical world by tasking a pictre using device camera or sending the command to activate the microphone to record sound. They can alos do this with the camera to record video of the device’s surroundings.

The level of technical capaility is so advanced that only a government or military can be responisble. On this basis, it is likely that the number of victims seen are only a small number of the total and it is unknown just how many other Iranian or any other victims there are. This level of attack could easily mean a victims entire life being taken over or destroyed. It represents one of the biggest violations of the privacy of Iranian citizens than seen before and it may be the start of even worse crimes.

With the permission of our source ICNA will release the technical details of this malware in the next week.

Leave a Reply

Your email address will not be published. Required fields are marked *