Russian Government-linked Hacker Group Releases Powerful Adroid Malware

Monokle, developed by STC, is an advanced mobile surveillanceware that compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrating this information to command and control infrastructure. While most of its functionality is typical of a mobile surveillanceware, Monokle is unique in that it uses existing methods in novel ways in order to be extremely effective at data exfiltration, even without root access. Among other things, Monokle makes extensive use of the Android accessibility services to exfiltrate data from third party applications and uses predictive-text dictionaries to get a sense of the topics of interest to a target. Monokle will also attempt to record the screen during a screen unlock event so as to compromise a user’s PIN, pattern or password.

Monokle appears in a very limited set of applications which implies attacks using Monokle are highly targeted. Many of these applications are trojanized and include legitimate functionality, so user suspicion is not aroused. Lookout data indicates this tool is still being actively deployed.

Lookout is able to link STC to Monokle because it has also discovered that STC has been developing a set of Android security applications, including an antivirus solution, which share infrastructure with Monokle, among other links which are detailed in this report. These applications were developed “for a government customer” according to an STC develop

Lookout is providing, with this report, a list of more than 80 Indicators of Compromise (IOCs) that would allow cyber security solutions to protect their customers from this threat. Lookout customers have been protected against Monokle since early 2018.

Key Findings
Lookout has discovered new mobile surveillanceware called Monokle

• Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks.

• Lookout has observed samples in the wild since March 2016. Lookout sensors show that activity appears to remain small but consistent, peaking during the first half of 2018.

• Monokle makes extensive use of Android accessibility services to exfiltrate data from third party applications by reading text displayed on a device’s screen at any point in time.

• There is evidence that an iOS version of Monokle is in development. Lookout has no evidence of active iOS infections.

• Monokle has likely been used to target individuals in the Caucasus regions and individuals interested in the Ahrar al-Sham militant group in Syria, among others

Special Technology Center (STC) is a Russian defense contractor sanctioned by the U.S. government in connection to alleged interference in the 2016 U.S. presidential elections

• STC is known for producing Unmanned Aerial Vehicles (UAVs) and radio frequency (RF) measurement equipment.

• STC was sanctioned by the US Government through an amendment to Executive Order 13964, and is linked to providing material support to the Main Intelligence Directorate (GRU) and assisting them in conducting signals intelligence operations.

STC is developing both offensive and defensive Android security software

• Lookout researchers have discovered previously unknown mobile software development and surveillance capabilities of STC, suggesting that it operates on both the offensive and defensive side of mobile tooling.

• Its Android antivirus solution is called Defender and its mobile surveillanceware is called Monokle. It is through connections between these tools that Lookout can establish conclusively that STC is the developer of Monokle.

• Lookout has found strong links that tie STC’s Android software development operations to Monokle’s IOCs

• Lookout has found shared command and control infrastructure used by both legitimate and malicious Android applications produced by STC.

• The Defender application and related software has been referred to by an STC developer as developed “for a government customer.”

• Lookout data indicates this tool is still being actively deployed.

Lookout is releasing more than 80 indicators of compromise (IOC):

• 57 SHA-128 hashes and 1 YARA rule for Android malware IOCs.

• 22 domains and IP addresses.

• Four Russian mobile phone numbers used as attacker control phones for Monokle.

— Read more in Monokle: The Mobile Surveillance Tooling of the Special Technology Center (Lookout, July 2019)