Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Android Spyware Has Ties to Election Interference

Recently revealed surveillance-ware comes from a consultant with close ties to Russia's GRU who was sanctioned by the US for election-tampering.

A newly discovered Android malware strain has been tied to a US-sanctioned contractor with close connections with Russia's GRU.

According to researchers at Lookout, who found and dubbed the malware as Monokle, is able to steal personal information from an infected device and send it to any of a series of command-and-control (C2) servers. One of the unique aspects of Monokle is that it doesn't need root access to collect its information. Instead, it uses a series of existing techniques in novel ways to get a more complete picture of the user's data, interests, and on-line habits.

"The malware has a unique set of features. It can modify the Android device's trusted root certificate, capture the screen unlock sequence, and capture the auto-complete dictionary, among other things. It's very complete surveillance-ware," says Adam Bauer, senior staff security intelligence engineer at Lookout.

Monokle's source has been traced back to Special Technology Center (STC), a Russian defense contractor sanctioned for its role in interfering with the 2016 US presidential election. "The first reason Monokle is notable is because of its ties to a Russian government defense contractor who is also producing antivirus for Android," says Tim Erlin, vice president of product management and strategy at TripWire. "The second reason it's notable is because of the extent to which it's able to gather data and take advantage of of a mobile device."

According to the Lookout report, Monokle's ties to STC and the Android antivirus software are found in the code. "STC has been developing a set of Android security applications, including an antivirus solution, which share infrastructure with Monokle," the report states.

Lookout determined that Monokle is targeting very specific individuals because of the applications that carry the infection. Christoph Hebeisen, senior manager, security intelligence at Lookout, believes the surveillance-ware's qualities mean that it most likely will remain a tool for spying on high-value targets.

"Ultimately, we believe that this type of software is most likely to be used in targeted attacks, so whether you worry about it or not depends on your threat model," he says.

The Lookout researchers and Erlin point out, though, that there's nothing inherent in Monokle's technology that limits it to a particular target. "In this case, where we're talking about a tool that's been discovered in the wild and analyzed, the use of that tool that's been seen so far has been targeted," Erlin says. "But that doesn't mean that the tool itself couldn't be used in a variety of ways."

Bauer says that the Monokle code was first found in the wild in samples collected in 2016, but the code wasn't initially analyzed and found to be malicious until early 2018. Analysis has continued and more details have become clear. "We decided to go public now because of the relevance of this particular threat," Bauer says. "Once we found that the creator was STC, it became more relevant because the company has been sanctioned due to their connection to GRU in terms of election meddling."

Erlin says there are specific steps individuals and organizations can take to reduce their risk from the spyware: don't install apps from untrusted sources or from unknown third-party sources, and install mobile antivirus, he says.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bwilkes8@gmail.com
100%
0%
[email protected],
User Rank: Moderator
7/26/2019 | 11:03:55 AM
RE: Android Spyware Has Ties to Election Interference
Good article, well balanced, however what if were mentioned that all users of the campaign party that were "hacked" opened spear phished and took the worm.  The penetration of their machines, the network and DNC was due to EMPLOYEES not adhering to basic security practices.  So there article might have included more insight, links and references to such tactics and how to detect them.
Commentary
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
News
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
News
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-26814
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
CVE-2021-27581
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
CVE-2021-28042
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
CVE-2021-28041
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
CVE-2021-3377
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.