Security Experts:

Researchers Discover Android Surveillance Malware Built by Sanctioned Russian Firm

Mobile security firm Lookout has discovered a new set of sophisticated custom Android surveillanceware tools developed and distributed by a Russian-based company.

Dubbed Monokle, the malware is built by Special Technology Centre, Ltd, a Russian firm sanctioned by the U.S. Government in connection to interference in the 2016 US presidential elections

The tools were discovered last year and appear to be part of a targeted set of campaigns. They provide attackers with remote access Trojan (RAT) functionality, feature advanced data exfiltration techniques, and can install attacker-specified certificates on infected devices, to facilitate man-in-the-middle (MITM) attacks. 

STC, a private defense contractor in Russia, was sanctioned in 2016 as one of the three companies that provided material support to the Main Intelligence Directorate (GRU) for alleged interference in the 2016 U.S. presidential election.

STC is developing both offensive and defensive Android security software, including an Android antivirus solution, which Lookout’s security researchers were able to link to Monokle, a limited set of applications that are likely highly targeted. 

Under active development, the toolset makes extensive use of Android accessibility services to exfiltrate data from third-party applications, and appears to have been used to target individuals in the Caucasus regions and individuals interested in the Ahrar al-Sham militant group in Syria, among others.

The threat has been disseminated via Trojanized applications that also use the icons and titles (mostly in English with a handful in Arabic and Russian) of legitimate applications. The apps have been very specifically targeted towards certain interests or regions, Lookout reveals in a detailed report (PDF). 

The researchers found samples dating as far back as mid-2015, targeting individuals interested in Islam, interested in or associated with Ahrar al-Sham, living in or associated with the Caucasus regions of Eastern Europe, interested in a messaging application in Uzbekistan. 

The Monokle malware family can remount the system partition to install attacker certificates, hook itself to appear invisible to Process Manager, retrieve calendar information, get the salt used when storing a user’s password, receive messages via keywords delivered via SMS or from designated control phones, interact with office apps, accept commands, and remove itself from the device. 

The apps also include extensive spyware capabilities, being able to log keystrokes, reset PIN, record audio, make calls, record calls, sent text messages, retrieve contacts, get device information, retrieve emails, take photos and videos, track the device location, take screenshots, list installed apps, retrieve browser history, retrieve call history, collect account info and retrieve messages for messaging apps (WhatsApp, Instagram, VK, Skype, and more), and execute arbitrary shell commands. 

Some unused commands found in several samples of Monokle suggest that an iOS version of the client is also in the works, as they serve no purpose as part of the Android client. 

“Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years. Monokle is an advanced mobile surveillanceware that compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrating this information to command and control infrastructure,” Lookout notes. 

Related: Exodus Android Spyware With Possible Links to Italian Government Analyzed

Related: Israel Spyware Firm NSO Operates in Shadowy Cyber World

view counter