Skip to main content

New Android Spyware Created by Russian Defense Contractor Found in the Wild

android surveillance malware

Cybersecurity researchers have uncovered a new piece of mobile surveillance malware believed to be developed by a Russian defense contractor that has been sanctioned for interfering with the 2016 U.S. presidential election.

Dubbed Monokle, the mobile remote-access trojan has been actively targeting Android phones since at least March 2016 and is primarily being used in highly targeted attacks on a limited number of people.

According to security researchers at Lookout, Monokle possesses a wide range of spying functionalities and uses advanced data exfiltration techniques, even without requiring root access to a targeted device.

How Bad is Monokle Surveillance Malware


In particular, the malware abuses Android accessibility services to exfiltrate data from a large number of popular third-party applications, including Google Docs, Facebook messenger, Whatsapp, WeChat, and Snapchat, by reading text displayed on a device's screen at any point in time.

 The malware also extracts user-defined predictive-text dictionaries to "get a sense of the topics of interest to a target," and also attempts to record the phone screen during a screen unlock event in order to compromise the phone's PIN, pattern or password.

Besides this, if the root access is available, the spyware installs attacker-specified root CA certificates to the list of trusted certificates on a compromised device, potentially enabling the attackers to easily intercept encrypted SSL-protected network traffic through Man-in-the-Middle (MiTM) attacks.

Other functionalities of Monokle includes:

  • Track device location
  • Record audio and calls
  • Make screen recordings
  • Keylogger and device-fingerprinting
  • Retrieve browsing and call histories
  • Take photos, videos, and screenshots
  • Retrieve emails, SMSes, and Messages
  • Steal contacts and calendar information
  • making calls and sending text messages on behalf of victims
  • Execute arbitrary shell commands, as root, if root access is available

In total, Monokle contains 78 different predefined commands, which attackers can send through SMS, phone calls, email message exchange through POP3 and SMTP, and inbound/outbound TCP connections, instructing the malware to exfiltrate requested data and send it to the attackers remote command-and-control servers.

Spyware Disguises as PornHub and Google Android Apps


According to the researchers, attackers are distributing Monokle through fake apps that look just like Evernote, Google Play, Pornhub, Signal, UC Browser, Skype, and other popular Android apps.
android malware apps
Most of these apps even include legitimate functionality, preventing targeted users from suspecting the apps are malicious.

Moreover, some recent samples of Monokle even come bundled with Xposed modules that allow the malware to customize some system features, eventually extending its ability to hook and hide presence in the process list.

The malware package uses a DEX file in its assets folder that "includes all cryptographic functions implemented in the open source library "spongycastle," various email protocols, extraction and exfiltration of all data, serialization and deserialization of data using the Thrift protocol, and rooting and hooking functionality, among others."

The new Android malware and its capabilities remind us of the powerful surveillance malware Pegasus, developed by Israel-based NSO Group for both Apple iOS and Google Android devices.

However, unlike Russian spyware Monokle, Pegasus comes with powerful zero-day exploits that install the spyware on a targeted device with little to no user interaction.

Pegasus has previously been used to target human rights activists and journalists, from Mexico to the United Arab Emirates and again last year against an Amnesty International staffer in Saudi Arabia.

Comments

Post a Comment

Popular posts from this blog

Site-to-site IPsec VPN with two FortiGates

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard's   Site to Site - FortiGate   template. In this example, one office will be referred to as HQ and the other will be referred to as Branch. 1. Configuring the HQ IPsec VPN On the HQ FortiGate, go to  VPN > IPsec Wizard . Select the  Site to Site  template, and select  FortiGate . In the  Authentication  step, set  IP Address  to the IP of the Branch FortiGate (in the example,  172.20.120.135 ). After you enter the gateway, an available interface will be assigned as the  Outgoing Interface . If you wish to use a different interface, select it from the drop-down menu. Set a secure  Pre-shared Key . In the  Policy & Routing  step, set the  Loca...
Post a Comment
Read more

Be fraud aware - What are phishing, smishing and vishing.

  You may have heard the terms phishing, smishing or vishing before, but what exactly do they mean? At their core, all three terms are a type of financial fraud which tricks unsuspecting victims into giving out sensitive personal information, handing over money or installing malware onto their device. The only difference between each term is the channel via which you can be targeted; phishing refers to scam emails, smishing refers to scam text or WhatsApp messages and vishing takes place over the phone. Phishing The most common phishing method encourages victims to visit a malicious website through a fake email message, which appears to be sent from a legitimate company or source (e.g. from a bank, HMRC, a delivery company or the NHS). For example, you might receive an email which appears to be from an organisation who you’re familiar with, asking you to click on a link. At this point you will be taken to a webpage on which you’re asked to submit sensitive data, such as passwords, ...
Post a Comment
Read more

Cisco Releases Security Updates for Cisco ASA 5506-X, 5508-X, 5516-X and Firepower// Cisco Bug IDs: CSCvp36425

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly. The vulnerability is due to incomplete input validation of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) ingress packet header. An attacker could exploit this vulnerability by sending a crafted TLS/SSL packet to an interface on the targeted device. An exploit could allow the attacker to cause the device to reload, which will result in a denial of service (DoS) condition. Note:  Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid SSL or TLS session is required to exploit this vulnerability. Cisco has...
Post a Comment
Read more