Researchers have discovered some of the most advanced and full-featured mobile surveillanceware ever seen. Dubbed Monokle and used in the wild since at least March 2016, the Android-based application was developed by a Russian defense contractor that was sanctioned in 2016 for helping that country’s Main Intelligence Directorate meddle in the 2016 US presidential election.
Monokle uses several novel tools, including the ability to modify the Android trusted-certificate store and a command-and-control network that can communicate over Internet TCP ports, email, text messages, or phone calls. The result: Monokle provides a host of surveillance capabilities that work even when an Internet connection is unavailable. According to a report published by Lookout, the mobile security provider that found Monokle is able to:
- Retrieve calendar information including name of event, when and where it is taking place, and description
- Perform man-in-the-middle attacks against HTTPS traffic and other types of TLS-protected communications
- Collect account information and retrieve messages for WhatsApp, Instagram, VK, Skype, imo
- Receive out-of-band messages via keywords (control phrases) delivered via SMS or from designated control phones
- Send text messages to an attacker-specified number
- Reset a user’s pincode
- Record environmental audio (and specify high, medium, or low quality)
- Make outgoing calls
- Record calls
- Interact with popular office applications to retrieve document text
- Take photos, videos, and screenshots
- Log passwords, including phone unlock PINs and key presses
- Retrieve cryptographic salts to aid in obtaining PINs and passwords stored on the device
- Accept commands from a set of specified phone numbers
- Retrieve contacts, emails, call histories, browsing histories, accounts and corresponding passwords
- Get device information including make, model, power levels, whether connections are over Wi-Fi or mobile data, and whether screen is on or off
- Execute arbitrary shell commands, as root, if root access is available
- Track device location
- Get nearby cell tower info
- List installed applications
- Get nearby Wi-Fi details
- Delete arbitrary files
- Download attacker-specified files
- Reboot a device
- Uninstall itself and remove all traces from an infected phone
Commands in some of the Monokle samples Lookout researchers analyzed lead them to believe that there may be versions of Monokle developed for devices running Apple’s iOS. Unused in the Android samples, the commands were likely added unintentionally. The commands controlled iOS functions for the keychain, iCloud connections, iWatch accelerometer data, iOS permissions, and other iOS features or services. Lookout researchers didn’t find any iOS samples, but they believe iOS versions may be under development. Monokle gets its name from a malware component a developer titled “monokle-agent.”
From Russia with…
Lookout researchers were able to tie Monokle to Special Technology Centre Ltd. (STC), a St. Petersburg, Russia, defense contractor that was sanctioned in 2016 by then-President Obama for helping Russia’s GRU, or Main Intelligence Directorate, meddle in the 2016 election. Evidence linking Monokle to the contractor includes control servers the malware connects to and cryptographic certificates that sign the samples. Both are identical to those used by Defender, an Android antivirus app developed by STC.
Monokle’s sophistication, combined with its possible use in nation-sponsored surveillance, evokes memories of Pegasus, a powerful set of spying apps developed for both iOS and Android devices. Developed by Israel-based NSO Group, Pegasus was used in 2016 against a dissident of the United Arab Emirates and again this year against a UK-based lawyer.
“We are seeing yet another vendor, that is a defense contractor in this case, that is producing a highly sophisticated malware to spy on users of mobile devices,” Christoph Hebeisen, Lookout’s senior manager of security intelligence, told Ars. “That really drives home the risk around mobile devices and how they are being attacked.”
Lookout researchers found Monokle folded into an extremely small number of apps, an indication the surveillance tool is used in highly targeted attacks on a limited number of people. Most of the apps contained legitimate functionality to prevent users from suspecting the apps are malicious. Based on the app titles and icons of the apps, Lookout believes targets were likely:
- interested in Islam
- interested in Ahrar al-Sham, a militant group fighting against the Syrian government and Bashar al-Assad
- living in or associated with the Caucasus regions of Eastern Europe
- interested in a messaging application called “UzbekChat” referencing the Central Asian nation and former Soviet republic Uzbekistan
Many of the icons and titles have been stolen from legitimate applications to disguise Monokle’s purpose.
Other titles used familiar words like Google Update, Flashlight, and Security Update Service to appear innocuous to the intended target. Titles are mostly in English with a smaller number in Arabic and Russian. While only a small number of samples have been found in the wild, a larger number of samples dates back as long ago as 2015. As the graph below shows, they follow a fairly regular development cycle.
STC is best known for developing radio frequency measurement equipment and unmanned aerial vehicles. It claims to employ 1,000 to 5,000 people. It develops a suite of Android security products, including Defender, that are intended for government customers. Lookout monitored Russian job search sites for positions open at STC and found they required experience in both Android and iOS. As noted earlier, the control servers and signing certificates used by the Android defensive software were in many cases identical to those used by Monokle.
Monokle’s design is consistent with a professional development company that sells to governments. The surveillanceware defines 78 separate tasks—including “gathers call logs,” “collects SMS messages,” “collects contacts,” and “gets list of files in particular system directories”—that control servers can send through SMS, email, or TCP connections. Control phrases used to invoke the commands—including “connect,” “delete,” “location,” and “audio”—are short and vague enough that, should an end user see them appear in a text message, they aren’t likely to arouse suspicions. Infected phones can also receive calls from specific numbers that will turn off headsets and allow the device on the other end to record nearby sounds.
There are clear differences between Monokle and Pegasys, including the fact that the latter came packaged with powerful exploits that install the surveillance malware with little interaction required of the end user. By contrast, there are no accompanying exploits for Monokle, and Lookout researchers still aren’t sure how it gets installed. The chances of ordinary people being infected with either of these types of malware are extremely small.
Still, Lookout’s report provides more than 80 so-called indicators of compromise that allow security products and more technically inclined end users to detect infections. Lookout customers have been protected against Monokle since early last year.