Suspected government-backed hackers from Iran have used an array of techniques, from password theft to uploading a fake app to a prominent app marketplace, to try gathering intelligence from targets over the past year, Google said in a bulletin published Thursday.
The espionage group APT35, also known as Charming Kitten, last year successfully uploaded to Google’s Play Store an app that masqueraded as a virtual private network service, claiming the tool would safeguard user data. In fact, the apparent VPN program functioned as spyware, collecting call logs, text messages, contacts and location data from affected devices. Google said in an Oct. 14 update that it detected the program “quickly” and removed it before any downloads occurred.
The surveillance app marks an update to existing APT35 tactics. The group is best known for reportedly targeting email accounts associated with former President Donald Trump’s election campaign in 2020 and espionage around major geopolitical events, such as negotiations related to the 2015 nuclear deal between the U.S. and Iran.
The threat intelligence firm FireEye in 2018 said the group operates “at the behest of the Iranian government.”
Along with the malicious VPN app, APT35 hackers also compromised a U.K. university site early in 2021, using it as a base to organize a phishing operation.
By leveraging the university’s name, spies emailed targets messages that included links to an apparent webinar that, in fact, included malware that collected Gmail, Hotmail and Yahoo credentials. The espionage effort also aimed to collect the codes that users received as part of their second-factor authentication, building on a tactic that Google says Charming Kitten has used since 2017 to hack government officials, journalists and national security officials.
Similarly, the group impersonated officials from two high profile gatherings, the Munich Security and Think-20 conferences, to target more recipients. Google detected messages that included link shorteners, click trackers and attacks that abused Google Drive, Dropbox and Microsoft services.
“We warn users when we suspect a government-backed threat like APT35 is targeting them,” Google said. “Thousands of these warnings are sent every month, even in cases where the corresponding attack is blocked. If you receive a warning it does not mean your account has been compromised, it means you have been identified as a target.”
The Iranian government has consistently denied any involvement in malicious cyber activity.