Cybersecurity researchers have uncovered a new piece of mobile surveillance malware believed to be developed by a Russian defense contractor that has been sanctioned for interfering with the 2016 U.S. presidential election.
Dubbed Monokle, the mobile remote-access trojan has been actively targeting Android phones since at least March 2016 and is primarily being used in highly targeted attacks on a limited number of people.
According to security researchers at Lookout, Monokle possesses a wide range of spying functionalities and uses advanced data exfiltration techniques, even without requiring root access to a targeted device.
How Bad is Monokle Surveillance Malware
In particular, the malware abuses Android accessibility services to exfiltrate data from a large number of popular third-party applications, including Google Docs, Facebook messenger, Whatsapp, WeChat, and Snapchat, by reading text displayed on a device’s screen at any point in time.
The malware also extracts user-defined predictive-text dictionaries to “get a sense of the topics of interest to a target,” and also attempts to record the phone screen during a screen unlock event in order to compromise the phone’s PIN, pattern or password.
Besides this, if the root access is available, the spyware installs attacker-specified root CA certificates to the list of trusted certificates on a compromised device, potentially enabling the attackers to easily intercept encrypted SSL-protected network traffic through Man-in-the-Middle (MiTM) attacks.
Other functionalities of Monokle includes:
- Track device location
- Record audio and calls
- Make screen recordings
- Keylogger and device-fingerprinting
- Retrieve browsing and call histories
- Take photos, videos, and screenshots
- Retrieve emails, SMSes, and Messages
- Steal contacts and calendar information
- making calls and sending text messages on behalf of victims
- Execute arbitrary shell commands, as root, if root access is available
In total, Monokle contains 78 different predefined commands, which attackers can send through SMS, phone calls, email message exchange through POP3 and SMTP, and inbound/outbound TCP connections, instructing the malware to exfiltrate requested data and send it to the attackers remote command-and-control servers.
Spyware Disguises as PornHub and Google Android Apps
According to the researchers, attackers are distributing Monokle through fake apps that look just like Evernote, Google Play, Pornhub, Signal, UC Browser, Skype, and other popular Android apps.
Most of these apps even include legitimate functionality, preventing targeted users from suspecting the apps are malicious.
Moreover, some recent samples of Monokle even come bundled with Xposed modules that allow the malware to customize some system features, eventually extending its ability to hook and hide presence in the process list.
The malware package uses a DEX file in its assets folder that “includes all cryptographic functions implemented in the open source library “spongycastle,” various email protocols, extraction and exfiltration of all data, serialization and deserialization of data using the Thrift protocol, and rooting and hooking functionality, among others.”
The new Android malware and its capabilities remind us of the powerful surveillance malware Pegasus, developed by Israel-based NSO Group for both Apple iOS and Google Android devices.
However, unlike Russian spyware Monokle, Pegasus comes with powerful zero-day exploits that install the spyware on a targeted device with little to no user interaction.
Pegasus has previously been used to target human rights activists and journalists, from Mexico to the United Arab Emirates and again last year against an Amnesty International staffer in Saudi Arabia.
Russian Defense Contractor STC Developed Monokle Malware
Monokle was developed by a Russia-based company, called Special Technology Centre Ltd. (STC)—a private defense contractor known for producing UAVs and Radio Frequency (RF) equipment for Russian military as well as other government customers.
According to Lookout researchers, Monokle and STC’s Android security suite called Defender are digitally signed with the same cryptographic certificates and also share the same command and control infrastructure.
“Command-and-control infrastructure that communicates with the Defender application also communicates with Monokle samples. The signing certificates used for signing Android application packages overlap between Defender and Monokle as well,” according to the report.
“Additional overlap was observed by Lookout researchers between Monokle and the defensive security software produced by STC in the authors’ development and implementation choices.”
Monokle for iOS Under Development
Besides Android, researchers also came across some Monokle malware samples, analysis of which revealed the existence of iOS versions of Monokle targeting Apple devices, though the researchers found no evidence of any active iOS infection as of now.
Some commands in the malware samples appear to serve no purpose as part of the Android client and have likely been added unintentionally, which suggests that the iOS versions of Monokle may be under development.
Those commands include iOS functions for the keychain, iCloud connections, Apple iWatch accelerometer data, iOS permissions, and other iOS features or services.
According to Lookout researchers, Monokle is used in highly targeted attacks on a limited number of people in the Caucasus regions of Eastern Europe as well as individuals interested in Islam and the Ahrar al-Sham militant group in Syria, and individuals in the Central Asian nation and former Soviet republic Uzbekistan.
For more information, you can head on the detailed report published by Lookout.