Researchers at Lookout discovered a new mobile spyware dubbedMonokle that was developed by a Russian defense contractor.
Experts at Lookout discovered a new Android mobile spyware in the wild, dubbed Monokle, that was developed by a Russian defense contractor named Special Technology Centre Ltd. (STC).
“Lookout has discovered a highly targeted mobile malware threat that uses a new and sophisticated set of custom Android surveillanceware tools called Monokle that has possible connections to Russian threat actors.” reads the report published by Lookout. “Lookout research indicates these tools are part of a targeted set of campaigns and are developed by the St. Petersburg, Russia-based company, Special Technology Centre, Ltd. (STC, Ltd. or STC).”
Special Technology Centre Ltd. (STC) has been sanctioned for interfering with the 2016 U.S. Presidential election.
Monokle has been used in highly targeted attacks at least since March 2016, it supports a wide range of spying functionalities and implements advanced data exfiltration techniques.
Monokle supports 78 different predefined commands, of which 61 are implemented in recent samples, that allow attackers to exfiltrate requested data.
The list of functionalities implemented by the spyware includes:
Track device location
Get nearby cell tower info
Retrieve accounts and associated passwords.
Record audio and calls
Suicide functionality and cleanup of staging files.
Make screen recordings
Keylogger and device-fingerprinting
Retrieve browsing and call histories
Take photos, videos, and screenshots
Retrieve emails, SMSes, and Messages
Steal contacts and calendar information
Make calls and send text messages
Execute arbitrary shell commands, as root, if root access is available
The surveillance software abuses Android accessibility services to capture data from third party apps, including Google Docs, Facebook messenger, VK, Whatsapp, WeChat, Viber, Skype, and Snapchat. The malicious code, in fact, is able to read text notifications displayed on a device’s screen.
The surveillance surveillance also uses user-defined predictive-text dictionaries to “get a sense of the topics of interest to a target,” it also attempts to record the phone screen during a screen unlock event in order to obtain the phone’s PIN, pattern or password.
If root access is available on the target device, the spyware installs attacker-specified root CA certificates to the trusted certificates on an infected device that would attackers to carry out man-in-the-middle (MITM) attacks.
According to Lookout, the spyware is distributed through fake apps, some of which are related to specific interests or regions, this suggests that the malware was currently used in limited areas around the world. Most of the titles are in English with a handful in Arabic and Russian.
Monokle has likely been used to spy on individuals in the Caucasus regions and individuals interested in the Ahrar al-Sham militant group in Syria.
Recent samples of Monokle include the Xposed framework that allows Android users to apply modules to an Android device’s ROM(Read Only Memory). Some Monokle fake apps include Xposed modules that implement functionality for hooking and hiding presence in the process list
Much of the core malicious functionality implemented in the later samples of Monokle use an XOR obfuscated DEX file in the assets folder.
“The functionality hidden in this DEX file includes all cryptographic functions implemented in the open source library spongycastle11, various e-mail protocols, extraction and exfiltration of all data, serialisation and deserialisation of data using the Thrift protocol, and rooting and hooking functionality, among others ” continues the report.
As anticipated, Monokle was developed by STC, the experts noticed that Monokle and the STC’s Android security suite called Defender are digitally signed with the same digital certificates and have the same C&C infrastructure.
“Command and control infrastructure that communicates with the Defender application also communicates with Monokle samples. The signing certificates used for signing Android application packages overlap between Defender and Monokle as well.” continues the report. “Additional overlap was observed by Lookout researchers between Monokle and the defensive security software produced by STC in the authors’ development and implementation choices.”
Researchers revealed that there is evidence that an iOS version of Monokle is in development, even if they have no evidence of active iOS infections
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Pierluigi Paganini
July 25, 2019
