Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

Android Spyware Has Ties to Election Interference

Recently revealed surveillance-ware comes from a consultant with close ties to Russia's GRU who was sanctioned by the US for election-tampering.

A newly discovered Android malware strain has been tied to a US-sanctioned contractor with close connections with Russia's GRU.

According to researchers at Lookout, who found and dubbed the malware as Monokle, is able to steal personal information from an infected device and send it to any of a series of command-and-control (C2) servers. One of the unique aspects of Monokle is that it doesn't need root access to collect its information. Instead, it uses a series of existing techniques in novel ways to get a more complete picture of the user's data, interests, and on-line habits.

"The malware has a unique set of features. It can modify the Android device's trusted root certificate, capture the screen unlock sequence, and capture the auto-complete dictionary, among other things. It's very complete surveillance-ware," says Adam Bauer, senior staff security intelligence engineer at Lookout.

Monokle's source has been traced back to Special Technology Center (STC), a Russian defense contractor sanctioned for its role in interfering with the 2016 US presidential election. "The first reason Monokle is notable is because of its ties to a Russian government defense contractor who is also producing antivirus for Android," says Tim Erlin, vice president of product management and strategy at TripWire. "The second reason it's notable is because of the extent to which it's able to gather data and take advantage of of a mobile device."

According to the Lookout report, Monokle's ties to STC and the Android antivirus software are found in the code. "STC has been developing a set of Android security applications, including an antivirus solution, which share infrastructure with Monokle," the report states.

Lookout determined that Monokle is targeting very specific individuals because of the applications that carry the infection. Christoph Hebeisen, senior manager, security intelligence at Lookout, believes the surveillance-ware's qualities mean that it most likely will remain a tool for spying on high-value targets.

"Ultimately, we believe that this type of software is most likely to be used in targeted attacks, so whether you worry about it or not depends on your threat model," he says.

The Lookout researchers and Erlin point out, though, that there's nothing inherent in Monokle's technology that limits it to a particular target. "In this case, where we're talking about a tool that's been discovered in the wild and analyzed, the use of that tool that's been seen so far has been targeted," Erlin says. "But that doesn't mean that the tool itself couldn't be used in a variety of ways."

Bauer says that the Monokle code was first found in the wild in samples collected in 2016, but the code wasn't initially analyzed and found to be malicious until early 2018. Analysis has continued and more details have become clear. "We decided to go public now because of the relevance of this particular threat," Bauer says. "Once we found that the creator was STC, it became more relevant because the company has been sanctioned due to their connection to GRU in terms of election meddling."

Erlin says there are specific steps individuals and organizations can take to reduce their risk from the spyware: don't install apps from untrusted sources or from unknown third-party sources, and install mobile antivirus, he says.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

 

 

 

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bwilkes8@gmail.com
100%
0%
[email protected],
User Rank: Moderator
7/26/2019 | 11:03:55 AM
RE: Android Spyware Has Ties to Election Interference
Good article, well balanced, however what if were mentioned that all users of the campaign party that were "hacked" opened spear phished and took the worm.  The penetration of their machines, the network and DNC was due to EMPLOYEES not adhering to basic security practices.  So there article might have included more insight, links and references to such tactics and how to detect them.
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4483
PUBLISHED: 2019-08-20
IBM Contract Management 10.1.0 through 10.1.3 and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X...
CVE-2019-4484
PUBLISHED: 2019-08-20
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164068.
CVE-2019-4485
PUBLISHED: 2019-08-20
IBM Emptoris Sourcing 10.1.0 through 10.1.3, IBM Contract Management 10.1.0 through 10.1.3, and IBM Emptoris Spend Analysis 10.1.0 through 10.1.3 generates an error message that includes sensitive information that could be used in further attacks against the system. IBM X-Force ID: 164069.
CVE-2019-7593
PUBLISHED: 2019-08-20
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a shared RSA key pair for certain encryption operations involving the Site Management Portal (SMP).
CVE-2019-7594
PUBLISHED: 2019-08-20
Metasys? ADS/ADX servers and NAE/NIE/NCE engines prior to 9.0 make use of a hardcoded RC2 key for certain encryption operations involving the Site Management Portal (SMP).