Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Discover Android Surveillance Malware Built by Sanctioned Russian Firm

Mobile security firm Lookout has discovered a new set of sophisticated custom Android surveillanceware tools developed and distributed by a Russian-based company.

Mobile security firm Lookout has discovered a new set of sophisticated custom Android surveillanceware tools developed and distributed by a Russian-based company.

Dubbed Monokle, the malware is built by Special Technology Centre, Ltd, a Russian firm sanctioned by the U.S. Government in connection to interference in the 2016 US presidential elections

The tools were discovered last year and appear to be part of a targeted set of campaigns. They provide attackers with remote access Trojan (RAT) functionality, feature advanced data exfiltration techniques, and can install attacker-specified certificates on infected devices, to facilitate man-in-the-middle (MITM) attacks. 

STC, a private defense contractor in Russia, was sanctioned in 2016 as one of the three companies that provided material support to the Main Intelligence Directorate (GRU) for alleged interference in the 2016 U.S. presidential election.

STC is developing both offensive and defensive Android security software, including an Android antivirus solution, which Lookout’s security researchers were able to link to Monokle, a limited set of applications that are likely highly targeted. 

Under active development, the toolset makes extensive use of Android accessibility services to exfiltrate data from third-party applications, and appears to have been used to target individuals in the Caucasus regions and individuals interested in the Ahrar al-Sham militant group in Syria, among others.

The threat has been disseminated via Trojanized applications that also use the icons and titles (mostly in English with a handful in Arabic and Russian) of legitimate applications. The apps have been very specifically targeted towards certain interests or regions, Lookout reveals in a detailed report (PDF). 

The researchers found samples dating as far back as mid-2015, targeting individuals interested in Islam, interested in or associated with Ahrar al-Sham, living in or associated with the Caucasus regions of Eastern Europe, interested in a messaging application in Uzbekistan. 

The Monokle malware family can remount the system partition to install attacker certificates, hook itself to appear invisible to Process Manager, retrieve calendar information, get the salt used when storing a user’s password, receive messages via keywords delivered via SMS or from designated control phones, interact with office apps, accept commands, and remove itself from the device. 

The apps also include extensive spyware capabilities, being able to log keystrokes, reset PIN, record audio, make calls, record calls, sent text messages, retrieve contacts, get device information, retrieve emails, take photos and videos, track the device location, take screenshots, list installed apps, retrieve browser history, retrieve call history, collect account info and retrieve messages for messaging apps (WhatsApp, Instagram, VK, Skype, and more), and execute arbitrary shell commands. 

Some unused commands found in several samples of Monokle suggest that an iOS version of the client is also in the works, as they serve no purpose as part of the Android client. 

“Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years. Monokle is an advanced mobile surveillanceware that compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrating this information to command and control infrastructure,” Lookout notes. 

Related: Exodus Android Spyware With Possible Links to Italian Government Analyzed

Related: Israel Spyware Firm NSO Operates in Shadowy Cyber World

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.


Privacy experts have said they fear pregnancies could be surveilled and the data shared with police or sold to vigilantes.


Regularly rebooting smartphones can make even the most sophisticated hackers work harder to maintain access and steal data from a phone


An Italy-based firm's hacking tools were used to spy on Apple and Android smartphones in Italy and Kazakhstan, Google said Thursday, casting a light...


Steven Mnuchin’s Liberty Strategic Capital acquires majority stake in Dallas, Texas-based Zimperium 


Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. 


The US Senate voted Thursday to bar TikTok from being downloaded onto US government employees' telephones, intensifying US scrutiny of the popular Chinese-owned video...