Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Android Spyware Has Ties to Election Interference

Recently revealed surveillance-ware comes from a consultant with close ties to Russia's GRU who was sanctioned by the US for election-tampering.

A newly discovered Android malware strain has been tied to a US-sanctioned contractor with close connections with Russia's GRU.

According to researchers at Lookout, who found and dubbed the malware as Monokle, is able to steal personal information from an infected device and send it to any of a series of command-and-control (C2) servers. One of the unique aspects of Monokle is that it doesn't need root access to collect its information. Instead, it uses a series of existing techniques in novel ways to get a more complete picture of the user's data, interests, and on-line habits.

"The malware has a unique set of features. It can modify the Android device's trusted root certificate, capture the screen unlock sequence, and capture the auto-complete dictionary, among other things. It's very complete surveillance-ware," says Adam Bauer, senior staff security intelligence engineer at Lookout.

Monokle's source has been traced back to Special Technology Center (STC), a Russian defense contractor sanctioned for its role in interfering with the 2016 US presidential election. "The first reason Monokle is notable is because of its ties to a Russian government defense contractor who is also producing antivirus for Android," says Tim Erlin, vice president of product management and strategy at TripWire. "The second reason it's notable is because of the extent to which it's able to gather data and take advantage of of a mobile device."

According to the Lookout report, Monokle's ties to STC and the Android antivirus software are found in the code. "STC has been developing a set of Android security applications, including an antivirus solution, which share infrastructure with Monokle," the report states.

Lookout determined that Monokle is targeting very specific individuals because of the applications that carry the infection. Christoph Hebeisen, senior manager, security intelligence at Lookout, believes the surveillance-ware's qualities mean that it most likely will remain a tool for spying on high-value targets.

"Ultimately, we believe that this type of software is most likely to be used in targeted attacks, so whether you worry about it or not depends on your threat model," he says.

The Lookout researchers and Erlin point out, though, that there's nothing inherent in Monokle's technology that limits it to a particular target. "In this case, where we're talking about a tool that's been discovered in the wild and analyzed, the use of that tool that's been seen so far has been targeted," Erlin says. "But that doesn't mean that the tool itself couldn't be used in a variety of ways."

Bauer says that the Monokle code was first found in the wild in samples collected in 2016, but the code wasn't initially analyzed and found to be malicious until early 2018. Analysis has continued and more details have become clear. "We decided to go public now because of the relevance of this particular threat," Bauer says. "Once we found that the creator was STC, it became more relevant because the company has been sanctioned due to their connection to GRU in terms of election meddling."

Erlin says there are specific steps individuals and organizations can take to reduce their risk from the spyware: don't install apps from untrusted sources or from unknown third-party sources, and install mobile antivirus, he says.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bwilkes8@gmail.com
100%
0%
[email protected],
User Rank: Moderator
7/26/2019 | 11:03:55 AM
RE: Android Spyware Has Ties to Election Interference
Good article, well balanced, however what if were mentioned that all users of the campaign party that were "hacked" opened spear phished and took the worm.  The penetration of their machines, the network and DNC was due to EMPLOYEES not adhering to basic security practices.  So there article might have included more insight, links and references to such tactics and how to detect them.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.