Connect with us

Hi, what are you looking for?


Malware & Threats

‘BouldSpy’ Android Malware Used in Iranian Government Surveillance Operations

The Iranian government has been using the BouldSpy Android malware to spy on minorities and traffickers.

Mobile security firm Lookout has analyzed a piece of Android spyware used by the Iranian government to surveil minority groups in the country and monitor arms, alcohol, and drugs trafficking.

Dubbed BouldSpy, the malware is likely installed by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA) using physical access to victim devices, supposedly obtained during detention.

The spyware has been in use since at least 2020, with more than 300 victims identified to date, including Iranian Kurds, Azeris, Baluchis, and possibly Armenian Christian groups. Evidence also suggests potential law enforcement use of the malware to counter and monitor trafficking.

“We believe FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy to further monitor the target on release,” Lookout notes.

The malware’s command-and-control (C&C) panel allows operators to manage victim devices and build custom BouldSpy applications that impersonate Android system services, the mobile CPU benchmarking tool CPU-Z, a currency converter, an interest calculator, a prank app, and the VPN app Psiphon.

“Given the likelihood of physical installation as the initial vector for BouldSpy, it’s possible that BouldSpy victims had legitimate versions of these apps installed when their devices were confiscated, and that those apps were trojanized in order to avoid detection by the victim,” Lookout notes.

On the infected devices, BouldSpy harvests account usernames and associated application/service, a list of installed apps, browser data, call logs, clipboard content, contact lists, device information, a list of files and folders, and SMS messages.

Advertisement. Scroll to continue reading.

The malware also enables operators to record phone calls, take photos using the phone’s camera, log keystrokes, get device location, record audio, and take screenshots. BouldSpy can record voice calls over multiple Voice over IP (VoIP) applications.

BouldSpy performs its malicious activities in the background, by abusing Android accessibility services, when the user opens one of the targeted applications or when the device is booted or rebooted. The spyware also disables battery management, to prevent the device from closing its process.

The threat can receive commands via C&C web traffic and via SMS messages. Although it encrypts the files selected for exfiltration, the malware does not encrypt C&C traffic.

Lookout also discovered that BouldSpy can execute arbitrary code, can download and run additional code received from the C&C, and can execute code within other applications.

BouldSpy also contains ransomware code borrowed from the open source project CryDroid, but Lookout believes the code is unused or nonfunctional, suggesting that ransomware capabilities might be under development or could be a false flag.

Related: Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure

Related: Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks

Related: Iranian APT Leaks Data From Saudi Arabia Government Under New Persona

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...