Researchers have found a new piece of Android spyware that was likely developed by a Russian contractor that has been sanctioned for interfering with the 2016 U.S. Presidential elections.
The spyware, called Monokle, has an amazing range of spying capabilities and can steal data, even without having root access on the phone.
The spyware, distributed as seemingly legit copies of popular apps such as Signal, Google Docs, Facebook Messenger, WhatsApp, WeChat and others, reads data on the screen. It also looks at the predictive dictionary to see what the user might be interested in.
If the spyware can get root access, it installs a security certificate so that it can intercept encrypted traffic.
The spyware is very sophisticated. It has “modules” and can be added to it. Some of the modular functionality includes:
- Tracking the device’s location
- Recording audio in the room
- Recording phone calls
- Recording what is on the screen
- Recording keystrokes
- “Fingerprinting” the device
- Stealing browser and call histories
- Stealing emails, text messages and other messages
- Stealing contacts
- Stealing calendar info
- Making calls pretending to be the user
- Sending texts pretending to be the user
- If root access is available, run arbitrary commands
It has 78 separate commands that it can run.
Many of the infected apps even have the regular functionality of the real app.
The company that wrote it, STC, has been sanctioned by the U.S. and is known to create drones and other RF equipment for the Russian military and government customers.
The researchers found samples of iOS malware, so likely they are working on an iPhone version.
From a user’s standpoint, there a few things that you an do to help things.
Only install apps from the app store. While this is not foolproof as both Apple and Google have been known to distribute infected software, both try to keep infected software out.
If you get an email or text message telling you to click on a link to install a fix for an app that you have, do not click on it, Go to the app store directly to look for any updates.
Many endpoint protection software products have a mobile version for phones. While these typically cost money, that is better than being infected.
Right now it appears that the spyware is targeting high value targets, but of course that could change and there could be knockoffs of the software.
Bottom line, be vigilant.
Source: The Hacker News