Up to 240 people, mostly Iranian ISIS supporters and minorities, were targeted in an operation called "Domestic Kitty."
By Tom O'Connor, Newsweek
Iran reportedly tricked suspected supporters of the Islamic State militant group (ISIS) into downloading a wallpaper mobile phone application that allowed the government to spy on them.
Researchers from Israeli online security company Check Point Software Technologies said Friday that they uncovered a covert two-year spyware operation they have dubbed "Domestic Kitten" that "until now, has remained under the radar due to the artful deception of its attackers." The plot included jihadi-themed wallpapers and fake news applications that would secretly gather information on their targets, which in this case included Iranian ISIS supporters and members of Iran's Kurdish and Turkish minorities.
"While the exact identity of the actor behind the attack remains unconfirmed, current observations of those targeted, the nature of the apps and the attack infrastructure involved leads us to believe this operation is of Iranian origin," a post featured on Check Point's blog read.
"In fact, according to our discussions with intelligence experts familiar with the political discourse in this part of the world, Iranian government entities, such as the Islamic Revolutionary Guard Corps (IRGC), Ministry of Intelligence, Ministry of Interior and others, frequently conduct extensive surveillance of these groups," it continued, adding that such operations targeted "individuals and groups that could pose a threat to stability of the Iranian regime."
One of the applications shown to contain the spyware was an ISIS-themed wallpaper named Dawlat Khilafah al-Islamiya—a grammatically incorrect Arabic translation of "the Islamic Caliphate State" that should instead read Dawlat al-Khilafah al-Islamiya. Its thumbnail shows an ISIS banner, and the application itself appears to show a number of pro-ISIS pictures to choose from as a wallpaper—including armed militants holding up the group's flag.
Another application was a spoofed mirror version of the Firat News Agency, better known as ANF News Agency, a legitimate Kurdish media outlet. A screenshot of the fake version suggested that it featured content from its real counterpart, while at the same time quietly siphoning off information to its creators, who registered the applications under the innocuous-sounding email address telecom2016@yahoo.com.
The extent to which these applications infiltrated the personal lives of those who downloaded them may never be known, but Check Point researchers were able to detect what sort of information was vulnerable. The attackers were given full access to SMS/MMS messages, phone calls records, contacts list, browser history and bookmarks, external storage, application list, clipboard content, geo-location and camera photos as well as surround voice recordings, according to the report.
Each victim was designated a unique log that the attacker could access at any time. Check Point estimated that up to 240 users were directly affected by the hack, 97 percent of whom were Iranian citizens in a list that also included people from Afghanistan, Iraq and the U.K. The actual figure, however, is likely much higher as the researchers note that the seizure of contact information meant others were likely exposed as well.
Iran has devoted considerable resources to battling ISIS in neighboring Iraq and in Syria, where Tehran backs its ally Syrian President Bashar al-Assad against various insurgent groups as well. The revolutionary Shiite Muslim power's large-scale mobilization of regional, largely religious fighters has prompted concern from the U.S., Saudi Arabia and Israel, which view Iran as a threat to stability in the Middle East.
At home, Iran has also cracked down on jihadi activity—especially after ISIS launched a deadly attack on government buildings in the capital last year—as well as some minority communities—including Kurds and Arabs—some of whom have formed armed separatist movements. Iran's elite Revolutionary Guards claimed a missile attack on a suspected Kurdish militia base in Iraq earlier this week.
The country's cyber capabilities have gained international attention abroad too. In March, the U.S. indicted an alleged Iranian hacker network accused of targeting dozens of U.S. universities, companies and government agencies, as well as the U.N. and other international bodies, on behalf of the Revolutionary Guards. The incident brought attention to Iran's advanced level of cyber warfare, which some experts said exceeded that of electronic heavyweights Russia and North Korea.
COMMENTS