Sat. Dec 7th, 2019

Lookout research: powerful Monokle malware come from Russia

2 min read

Researchers have discovered some of the most advanced and versatile mobile surveillance software ever. Since March 2016, this Android app called Monokle has been discovered. Monokle is said to have been developed by a Russian defense contractor to help the country’s intelligence agencies intervene in the 2016 US presidential election. According to a report released by security research firm Lookout, Monokle uses several new methods, including modifying the Android Trusted Certificate Store, which can be used to route commands and control networks via Internet TCP ports, email, SMS or telephone.

Even more surprising is that Monokle provides offline monitoring that works even when the Internet connection is not available. Here are the full features of Monokle disclosed by Lookout:

 Retrieve calendar information, including descriptions of event names, times, locations, etc.

● Man-in-the-middle attacks against HTTPS traffic and other TLS-protected communications;

● Collect account information and retrieve messages for WhatsApp, Instagram, VK, Skype, imo;

● Send keywords (control phrases) and receive take-away messages via SMS or designated control phones;

● Send the SMS to the number specified by the attacker;

● Reset the user password;

● Record ambient audio (can be set high / medium / low quality);

● Make a call;

● Call recording;

● Retrieve the document text of popular office applications;

● Take photos, videos and screenshots;

● Record the password including the mobile phone unlock PIN code;

● Retrieve the encrypted salt to help obtain a password such as a PIN code stored on the device;

● Accept commands from a specified set of phone numbers;

● Retrieve contacts, emails, call history, browsing history, accounts, and corresponding passwords;

● Obtain device information including brand, model, power level, Wi-Fi or mobile data connection, screen on or off, etc.

● If the device has root privileges enabled, Monokle can execute any shell command as root.

● Track device location;

● Obtain information about nearby cellular base stations;

● Get a list of installed apps;

● Get nearby Wi-Fi details;

● Delete any file;

● Download the file specified by the attacker;

● Restart the device;

● Uninstall yourself and delete all traces from the infected phone.

Based on an analysis of some of the Monokle samples, Lookout researchers have speculated that there is also a version of Monokle developed for Apple’s iOS devices.

Lookout researchers believe that Monokle has a special connection with the St. Petersburg, Russia-based company, Special
Technology Centre, Ltd when US President Barack Obama imposed sanctions on the Russian defense contractor on the grounds that he was suspected of interfering in the 2016 US presidential election.

Lookout points out that such behavior can pose a very high risk of attack on mobile devices. But the researchers also found that Monokle was disguised as a handful of applications, indicating that the monitoring tool was developed specifically to attack a limited number of specific people.