LOOKOUT
Lookout discovers new mobile surveillanceware
25 July 2019
Special Technology Centre, Ltd: A Russian defense contractor & developer of Monokle
In late 2016, the amendment to Executive Order 13964 issued by then President Barack Obama, imposed sanctions on Special Technology Centre, Ltd. (STC) as one of three companies that provided material support to the Main Intelligence Directorate (GRU) for alleged interference in the 2016 U.S. presidential election. STC is a private defence contractor in Russia known for producing Unmanned Aerial Vehicles (UAVs) and Radio Frequency (RF) equipment for supply to the Russian military, as well as other government customers.
Lookout research shows that STC is developing both offensive and defensive Android security software, as it has discovered previously unknown mobile software development and surveillance capabilities. It is through STC’s connection to its own Android antivirus solution, called Defender, that Lookout can establish conclusively that STC is the developer of Monokle.
“Monokle possesses remote access trojan (RAT) functionality, uses advanced data exfiltration techniques and has the ability to install an attacker-specified certificate to the trusted certificates store on an infected device that would facilitate man-in-the-middle (MITM) attacks. This ability is something that Lookout researchers have never seen in the wild before.”
Monokle: advanced mobile surveillanceware used in highly targeted attacks
Monokle is a new and sophisticated set of custom Android surveillanceware tools developed by the Russia-based company, Special Technology Centre, Ltd, which was sanctioned by the U.S. Government in connection to interference in the 2016 US presidential elections.
Lookout discovered Monokle in 2018 and our research indicates that these tools are part of a targeted set of campaigns and are developed by the St. Petersburg, Russia-based company, Special Technology Centre, Ltd. (STC), which is notable for providing material support to the GRU in its interference in the 2016 U.S. Presidential election.
Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years. Monokle is an advanced mobile surveillanceware that compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrating this information to command and control infrastructure. While most of its functionality is typical of mobile surveillanceware, Monokle is a unique and advanced mobile surveillance tool because it:
- Uses existing methods in novel ways in order to be extremely effective at data exfiltration, even without root access. In particular, it makes extensive use of the Android accessibility services to exfiltrate data from third party applications.
- Installs an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.
- Uses predictive-text dictionaries to get a sense of the topics of interest to a target.
- Has the ability to record the device’s screen during a screen unlock event, allowing it to compromise a user’s PIN, pattern or password.
Monokle appears in a very limited set of applications which implies attacks using Monokle are highly targeted. Many of these applications are trojanized and include legitimate functionality, so user suspicion is not aroused. Lookout data indicates this tool is still being actively deployed.
Read the full article on the Lookout site.
