Cybersecurity researchers have uncovered a new piece of mobile surveillance malware believed to be developed by a Russian defense contractor that has been sanctioned for interfering with the 2016 U.S. presidential election.
Dubbed Monokle, the mobile remote-access trojan has been actively targeting Android phones since at least March 2016 and is primarily being used in highly targeted attacks on a limited number of people.
According to security researchers at Lookout, Monokle possesses a wide range of spying functionalities and uses advanced data exfiltration techniques, even without requiring root access to a targeted device.
How Bad is Monokle Surveillance Malware
In particular, the malware abuses Android accessibility services to exfiltrate data from a large number of popular third-party applications, including Google Docs, Facebook messenger, Whatsapp, WeChat, and Snapchat, by reading text displayed on a device’s screen at any point in time.
The malware also extracts user-defined predictive-text dictionaries to “get a sense of the topics of interest to a target,” and also attempts to record the phone screen during a screen unlock event in order to compromise the phone’s PIN, pattern or password.
Besides this, if the root access is available, the spyware installs attacker-specified root CA certificates to the list of trusted certificates on a compromised device, potentially enabling the attackers to easily intercept encrypted SSL-protected network traffic through Man-in-the-Middle (MiTM) attacks.
images from Hacker News