Mobile security firm Lookout has analyzed a piece of Android spyware used by the Iranian government to surveil minority groups in the country and monitor arms, alcohol, and drugs trafficking.
Dubbed BouldSpy, the malware is likely installed by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA) using physical access to victim devices, supposedly obtained during detention.
The spyware has been in use since at least 2020, with more than 300 victims identified to date, including Iranian Kurds, Azeris, Baluchis, and possibly Armenian Christian groups. Evidence also suggests potential law enforcement use of the malware to counter and monitor trafficking.
“We believe FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy to further monitor the target on release,” Lookout notes.
The malware’s command-and-control (C&C) panel allows operators to manage victim devices and build custom BouldSpy applications that impersonate Android system services, the mobile CPU benchmarking tool CPU-Z, a currency converter, an interest calculator, a prank app, and the VPN app Psiphon.
“Given the likelihood of physical installation as the initial vector for BouldSpy, it’s possible that BouldSpy victims had legitimate versions of these apps installed when their devices were confiscated, and that those apps were trojanized in order to avoid detection by the victim,” Lookout notes.
On the infected devices, BouldSpy harvests account usernames and associated application/service, a list of installed apps, browser data, call logs, clipboard content, contact lists, device information, a list of files and folders, and SMS messages.
The malware also enables operators to record phone calls, take photos using the phone’s camera, log keystrokes, get device location, record audio, and take screenshots. BouldSpy can record voice calls over multiple Voice over IP (VoIP) applications.
BouldSpy performs its malicious activities in the background, by abusing Android accessibility services, when the user opens one of the targeted applications or when the device is booted or rebooted. The spyware also disables battery management, to prevent the device from closing its process.
The threat can receive commands via C&C web traffic and via SMS messages. Although it encrypts the files selected for exfiltration, the malware does not encrypt C&C traffic.
Lookout also discovered that BouldSpy can execute arbitrary code, can download and run additional code received from the C&C, and can execute code within other applications.
BouldSpy also contains ransomware code borrowed from the open source project CryDroid, but Lookout believes the code is unused or nonfunctional, suggesting that ransomware capabilities might be under development or could be a false flag.
Related: Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure
Related: Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks
Related: Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
