Malware, Content

Report: Russian Defense Contractor Behind Android Surveillanceware Tools

A Russian defense contractor has developed custom Android mobile spyware tools that could be used by Moscow intelligence operatives to meddle in the 2020 U.S. presidential election.

Mobile security provider Lookout said it discovered and tracked a set of surveillance tools dubbed Monokle connected to targeted campaigns developed by Special Technology Centre (STC), a St. Petersburg, Russia-based company. Former President Barack Obama sanctioned STC as one of three companies that provided support for the Russian military intelligence service (GRU) for alleged interference in the 2016 U.S. presidential election, Lookout researchers wrote in a blog post.

The Monokle mobile malware is particularly dangerous. It can steal personal data stored on an infected device and exfiltrate the information to command and control infrastructure. Lookout's researchers said Monokle is "something have never seen in the wild before."

STC is known for supplying the Russian military and other government entities with Unmanned Aerial Vehicles (UAVs) and Radio Frequency (RF) equipment. Lookout said that its research indicated that STC is developing both offensive and defensive Android security software. Company researchers said that they can “establish conclusively” that STC is the developer of Monokle.

“Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years,” Lookout researchers Adam Bauer, Apurva Kumar, Christoph Hebeisen wrote.

Here’s what Monokle can do:

  • Uses existing methods in novel ways in order to be extremely effective at data exfiltration, even without root access. In particular, it makes extensive use of the Android accessibility services to exfiltrate data from third party applications.
  • Installs an attacker-specified certificate to the trusted certificates on an infected device that would allow for MITM attacks.
  • Uses predictive-text dictionaries to get a sense of the topics of interest to a target.
  • Has the ability to record the device’s screen during a screen unlock event, allowing it to compromise a user’s PIN, pattern or password.
  • Monokle appears in a very limited set of applications which implies attacks using Monokle are highly targeted. Many of these applications are trojanized and include legitimate functionality, so user suspicion is not aroused. Lookout data indicates this tool is still being actively deployed.

In Congressional hearings, former special counsel Robert Mueller warned about continued Russian interference in U.S. elections. “We are expecting them to do it again during the next campaign,” Mueller said. And, the Senate Intelligence Committee’s bipartisan report on Russian meddling in the 2016 election found that the “Russian government directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against U.S. election infrastructure at the state and local level." All 50 states were targeted in the 2016 Presidential election, the report said.

Based on Lookout’s Monokle discovery, can sophisticated, targeted campaigns attached on mobile devices be in the offing for the 2020 elections? It seems naive to think otherwise.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.