Lookout discovers new mobile surveillanceware

25 July 2019

Special Technology Centre, Ltd:  A Russian defense contractor & developer of Monokle

In late 2016, the amendment to Executive Order 13964 issued by then President Barack Obama, imposed sanctions on Special Technology Centre, Ltd. (STC) as one of three companies that provided material support to the Main Intelligence Directorate (GRU) for alleged interference in the 2016 U.S. presidential election. STC is a private defence contractor in Russia known for producing Unmanned Aerial Vehicles (UAVs) and Radio Frequency (RF) equipment for supply to the Russian military, as well as other government customers.

Lookout research shows that STC is developing both offensive and defensive Android security software, as it has discovered previously unknown mobile software development and surveillance capabilities. It is through STC’s connection to its own Android antivirus solution, called Defender, that Lookout can establish conclusively that STC is the developer of Monokle.

“Monokle possesses remote access trojan (RAT) functionality, uses advanced data exfiltration techniques and has the ability to install an attacker-specified certificate to the trusted certificates store on an infected device that would facilitate man-in-the-middle (MITM) attacks. This ability is something that Lookout researchers have never seen in the wild before.”

Monokle: advanced mobile surveillanceware used in highly targeted attacks

Monokle is a new and sophisticated set of custom Android surveillanceware tools developed by the Russia-based company, Special Technology Centre, Ltd, which was sanctioned by the U.S. Government in connection to interference in the 2016 US presidential elections.

Lookout discovered Monokle in 2018 and our research indicates that these tools are part of a targeted set of campaigns and are developed by the St. Petersburg, Russia-based company, Special Technology Centre, Ltd. (STC), which is notable for providing material support to the GRU in its interference in the 2016 U.S. Presidential election.

Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years.  Monokle is an advanced mobile surveillanceware that compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrating this information to command and control infrastructure. While most of its functionality is typical of mobile surveillanceware, Monokle is a unique and advanced mobile surveillance tool because it:

  • Uses existing methods in novel ways in order to be extremely effective at data exfiltration, even without root access. In particular, it makes extensive use of the Android accessibility services to exfiltrate data from third party applications.
  • Installs an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.
  • Uses predictive-text dictionaries to get a sense of the topics of interest to a target.
  • Has the ability to record the device’s screen during a screen unlock event, allowing it to compromise a user’s PIN, pattern or password.

Monokle appears in a very limited set of applications which implies attacks using Monokle are highly targeted. Many of these applications are trojanized and include legitimate functionality, so user suspicion is not aroused. Lookout data indicates this tool is still being actively deployed.

Read the full article on the Lookout site.

Our Threat Defence products

Samsung’s Knox platform brings best-in-class hardware-based security, policy management, and compliance capabilities beyond the standard features available in today’s mobile device market.

Learn more
MobileIron Threat Defence

MobileIron Threat Defense allows you to fully secure corporate and employee-owned devices. This will make your people more productive and protect their mobile devices against advanced threats. 

Learn more

Desktops are being replaced by mobile endpoints, and data centres are moving workloads to the cloud. As a result, the traditional enterprise perimeter no longer exists. This shift means organisations must think differently about security.

Learn more

Lookout protects mobility for some of the world’s largest enterprises, critical government agencies, and tens of millions of individuals worldwide. They’ve achieved this by partnering with leaders in the mobile ecosystem globally, and they’re only getting started.

Learn more

Related news

We use cookies on this site to enhance your user experience. Find out about our cookie policy ACCEPT