A newly discovered Android malware strain has been tied to a US-sanctioned contractor with close connections with Russia’s GRU.
According to researchers at Lookout, who found and dubbed the malware as Monokle, is able to steal personal information from an infected device and send it to any of a series of command-and-control (C2) servers. One of the unique aspects of Monokle is that it doesn’t need root access to collect its information. Instead, it uses a series of existing techniques in novel ways to get a more complete picture of the user’s data, interests, and on-line habits.
“The malware has a unique set of features. It can modify the Android device’s trusted root certificate, capture the screen unlock sequence, and capture the auto-complete dictionary, among other things. It’s very complete surveillance-ware,” says Adam Bauer, senior staff security intelligence engineer at Lookout.
Monokle’s source has been traced back to Special Technology Center (STC), a Russian defense contractor sanctioned for its role in interfering with the 2016 US presidential election. “The first reason Monokle is notable is because of its ties to a Russian government defense contractor who is also producing antivirus for Android,” says Tim Erlin, vice president of product management and strategy at TripWire. “The second reason it’s notable is because of the extent to which it’s able to gather data and take advantage of of a mobile device.”
According to the Lookout report, Monokle’s ties to STC and the Android antivirus software are found in the code. “STC has been developing a set of Android security applications, including an antivirus solution, which share infrastructure with Monokle,” the report states.
Lookout determined that Monokle is targeting very specific individuals because of the applications that carry the infection. Christoph Hebeisen, senior manager, security intelligence at Lookout, believes the surveillance-ware’s qualities mean that it most likely will remain a tool for spying on high-value targets.
“Ultimately, we believe that this type of software is most likely to be used in targeted attacks, so whether you worry about it or not depends on your threat model,” he says.
The Lookout researchers and Erlin point out, though, that there’s nothing inherent in Monokle’s technology that limits it to a particular target. “In this case, where we’re talking about a tool that’s been discovered in the wild and analyzed, the use of that tool that’s been seen so far has been targeted,” Erlin says. “But that doesn’t mean that the tool itself couldn’t be used in a variety of ways.”
Bauer says that the Monokle code was first found in the wild in samples collected in 2016, but the code wasn’t initially analyzed and found to be malicious until early 2018. Analysis has continued and more details have become clear. “We decided to go public now because of the relevance of this particular threat,” Bauer says. “Once we found that the creator was STC, it became more relevant because the company has been sanctioned due to their connection to GRU in terms of election meddling.”
Erlin says there are specific steps individuals and organizations can take to reduce their risk from the spyware: don’t install apps from untrusted sources or from unknown third-party sources, and install mobile antivirus, he says.
Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio