Android malware is exposed, linked to Russian technology group
An Android spyware called Monokle has been discovered and linked to the Russian technology group Special Technology Center (STC) [2]. The malware infects a device through trojanized applications, and if it is able to gain root access the malware will self-sign a trusted certificate to open the device up to potential man-in-the-middle attacks [2]. Without root access, the malware still has a wide range of attacks that it can employ, which include screen recordings, call logging, keylogging, sending text messages, downloading files, and the list goes on [2].
STC are a group known for producing UAV systems and RF equipment for the Russian military, and the same group had been previously sanctioned by President Obama for suspected interference in the 2016 presidential election [2]. They are also the creator of an Android antivirus called Defender, and similarities have been found between the infrastructure of the Defender app and that of Monokle [2]. The two applications additionally share the same command and control servers, and Lookout has even uncovered potential developer names that have ties to both Monokle and other STC applications [2].
Why is it important?
While the scope of this attack has been quite narrow and likely not applicable to the demographic of this class, this is an important issue because the malware is still being actively deployed and it has the potential to become more widespread, if not by Monokle itself then by a similarly constructed malware [3]. Some attack functionality of Monokle is considered to be unique from the other malware that has been seen before it, such as its ability to self-sign trusted certificates, reading a user’s predictive text input to identify their topics of interest, and recording lock screens to steal a user’s PIN or password [2]. Exposing this functionality can help anti viruses detect and prevent other current and future malware that might employ those same methods.
The targeting of individuals associated with the Ahrar al-Sham group also has potential political implications, as STC has ties to the Russian government and has likely been gathering private information on this military group which Russia has been in opposition of.
Who is affected?
This malware has been active since 2016 and it is currently very targeted towards individuals living in the Caucasus region (Southern Russia and the neighbouring countries), individuals associated with the Ahrar al-Sham militant group in Syria, and individuals interested in the UzbekChat messaging app of Uzbekistan — a former member of the Soviet Union [1]. Only Android users are affected thus far; however there have been iOS components found in the Android client that hints towards the existence or development of an iOS version [1].
What were the causes?
The cause of these attacks are trojanized applications which contained legitimate functionality to not arouse suspicion in the user [2]. Some of the fake applications were popular Android apps such as Skype and the Google Play Store, while others were smaller targeted apps like Ahrar Maps for members involved in the Ahrar al-Sham group [1]. However it is not entirely clear how the malware was actually distributed [4].
It is suspected that phishing may be involved as well [3].
How might similar problems be prevented?
The way to prevent trojans from infecting your device is to be smarter about what applications you download and where you download them from. The fact that these applications can look completely legitimate otherwise makes it more difficult for one to recognize it as malware, so you would need to be more careful when actually downloading them. Anti viruses can protect you from trojans or malicious behaviour that it recognizes, but it may not protect you from newer malware that it does not recognize.
[1] https://threatpost.com/monokle-android-spyware/146655/
[2] https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf
[4] https://www.theinquirer.net/inquirer/news/3079593/russian-monokle-spyware-google-pornhub-apps
