Researchers at Lookout have uncovered a highly targeted mobile malware tool called Monokle that uses a novel and sophisticated set of custom Android surveillance software.
In a report, the researchers who discovered Monokle in the wild say although most of its functionality is common in mobile surveillanceware, Monokle is different in that it uses existing methods in cunning new ways, making it highly effective at data exfiltration, even without root access.
For one, the tool makes extensive use of the Android accessibility services to exfiltrate data from third-party applications and uses predictive-text dictionaries to get a sense of the topics of interest to a target. It will also attempt to record the screen during a screen unlock event in order to compromise a user’s PIN, pattern or password, and leverage accessibility services to gain access to third-party apps.
Moreover, Monokle can self-sign trusted certificates to intercept encrypted SSL traffic, which would enable man-in-the-middle attacks.
The malware appears in a very limited set of applications, which implies attacks that employ Monokle are highly targeted. A number of its applications are trojanised and include genuine functionality, in order not to raise suspicion.
Lookout has observed samples that go back to March 2016, and researchers say the malware is still being actively deployed.
Who’s responsible?
Research indicates these tools are part of a targeted set of campaigns and were developed by the Special Technology Centre, a private defence contractor in St Petersburg, Russia.
Towards the end of 2016, an amendment to Executive Order 13964 issued by then US President Obama imposed sanctions on STC as one of three companies that provided material support to the Main Intelligence Directorate for alleged interference with the 2016 US presidential election.
STC has been linked to Monokle because it has been developing a set of Android security applications, including an antivirus solution, which share infrastructure with the surveillance tool. According to a developer at STC, these applications were developed `for a government customer’.
According to Lookout, there is evidence that an iOS version of Monokle is being developed, although currently, there’s no evidence of active iOS infections.
The tool has likely been used to target individuals in the Caucasus regions and those interested in the Ahrar al-Sham militant group in Syria, among others.
The report said: “There is some evidence pointing to potential targets within configuration files and titles of applications that contained Monokle. Based on titles and icons of certain applications, we conclude that individuals in the following groups are targets of Monokle: individuals that are interested in Islam; individuals that are interested in or associated with the Ahrar al-Sham militant group in Syria; individuals living in or associated with the Caucasus regions of Eastern Europe; and individuals that may be interested in a messaging application called ‘UzbekChat’ referencing the Central Asian nation and former Soviet republic Uzbekistan.”
Share