Advertisement

A Russian military contractor has a shady new Android malware kit

Discovered last year, the surveillance tool is still in active use, according to Lookout.
GRU Android
The so-called “Monokle” malware is extremely invasive, according to Lookout. (Getty)

A contractor for the Russian military that was sanctioned for interfering in the 2016 U.S. election has developed Android malware that is being used in “highly-targeted” attacks that exfiltrate data using third-party applications, according to mobile security company Lookout.

The malware allegedly developed by the contractor, St. Petersburg-based Special Technology Center (STC), is capable of installing the attacker’s own software certificate in a certificate store and then using it for “man-in-the-middle” attacks, intercepting data before it reaches its intended recipient.

“This ability is something that Lookout researchers have never seen in the wild before,” Lookout’s Adam Bauer, Apurva Kumar, and Christoph Hebeisen said Wednesday.

The so-called “Monokle” malware is extremely invasive, according to Lookout. It can record a target device’s screen while the user is unlocking it, capturing the user’s PIN. It abuses Android’s accessibility features to harvest data from third-party apps. And it uses “predictive-text dictionaries” to figure out what a target user is interested in.

Advertisement

Discovered last year, the surveillance tool is still in active use, Lookout said. The malware shows up in a small number of trojan mobile apps, indicating it is being used in carefully crafted attacks, the researchers said. New samples were seen as recently as last month.

“We’ve seen evidence that Monokle has been under active development for years and have no reason to believe work isn’t continuing on it,” Hebeisen, Lookout’s head of threat research, told CyberScoop. He declined to say where the phones infected by Monokle were located.

Among the malware’s targets were people interested in Ahrar al-Sham, a militant group fighting the Syrian regime, and “individuals living in or associated with the Caucasus regions of Eastern Europe,” Lookout said.

STC was one of several Russian organizations or individuals sanctioned through a 2016 executive order from President Barack Obama for interfering in the presidential election. A White House statement at the time said that the STC helped Russia’s military intelligence service, the GRU, conduct signals intelligence operations.

STC did not immediately respond to a request for comment on Lookout’s findings. STC’s website boasts that, in 10 years in business, it has “gained a leading position” in the international market for radio-monitoring equipment.

Advertisement

Lookout researchers traced Monokle back to STC by examining the Russian company’s antivirus Android app. That application communicates with the same networking infrastructure that Monokle does, the researchers said. Hebeisen told CyberScoop that there’s no reason to think STC is limiting its focus to Android devices. “We have observed code, included in the Android applications, which points to the existence of an iOS version of the software.”

The discovery is part of a larger trend of companies and governments developing advanced mobile malware, Lookout pointed out. STC is one of several surveillance vendors that security researchers are tracking, including Israel-based NSO Group and the developers of the FinFisher kit.

“Monokle shows that it would be naive to think that mobile surveillance-ware is a rare capability of nation-states,” Hebeisen said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts