Monokle is a new and sophisticated set of custom Android surveillanceware tools developed by the Russia-based company, Special Technology Centre, Ltd, which was sanctioned by the U.S. Government in connection to interference in the 2016 US presidential elections.
Lookout discovered Monokle in 2018 and our research indicates that these tools are part of a targeted set of campaigns and are developed by the St. Petersburg, Russia-based company, Special Technology Centre, Ltd. (STC), which is notable for providing material support to the GRU in its interference in the 2016 U.S. Presidential election.
Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years. Monokle is an advanced mobile surveillanceware that compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrating this information to command and control infrastructure. While most of its functionality is typical of mobile surveillanceware, Monokle is a unique and advanced mobile surveillance tool because it:
- Uses existing methods in novel ways in order to be extremely effective at data exfiltration, even without root access. In particular, it makes extensive use of the Android accessibility services to exfiltrate data from third party applications.
- Installs an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.
- Uses predictive-text dictionaries to get a sense of the topics of interest to a target.
- Has the ability to record the device’s screen during a screen unlock event, allowing it to compromise a user’s PIN, pattern or password.
Monokle appears in a very limited set of applications which implies attacks using Monokle are highly targeted. Many of these applications are trojanized and include legitimate functionality, so user suspicion is not aroused. Lookout data indicates this tool is still being actively deployed.
Read the full article on the Lookout site.