Described as a "full featured mobile surveillance software", the 'Monokle' malware comes with unique capabilities to conduct espionage.
According to a report from researchers at mobile security company
Equipped with the ability to install trusted certificates which allow it to gain root access to the device, allowing it to take photos and videos, retrieving history of apps including web browsers, social media services, and messengers, tracking the location of the user, keylogger and much more.
Its a highly-targeted, custom-built form of powerful Android malware, and according to the researchers, it is being deployed to conduct surveillance on selected individuals.
Monokle can do most of these by exploiting Android's accessibility services, and tweaking them to steal data from third-party applications.
It can also use the predictive-text dictionaries of the user to gain insight into the kinds of topic that interest them. Even worse, with the ability to record the screen when it being used, hackers can also see target's passcode.
"Monokle is advanced and full featured mobile surveillance software," said Adam Bauer, a senior staff security intelligence engineer and one of the investigators behind the research.
"It could be used for any objective which would require surveillance through a mobile device."
When Monokle was discovered by Lookout, it only targets Android devices. However, the codes also contain samples of unused commands and data transfer objects suggesting to its possible existence an iOS version.
Lookout thinks that the malware has been around since 2016, with targets including those in Armenia, Azerbaijan, Georgia and Syria.
The researchers noted that the samples they receive are built around trojanized versions of real and legitimate apps, complete with the same appearance and functionality.
"In similar attacks, such as Dark Caracal, we've observed the use of phishing attacks through messaging applications, SMS, or emails used to distribute this type of malware," continued Bauer.
Lookout linked the infrastructure behind Monokle to Special Technology Centre (STC), a Russian company located in St. Petersburg.
In business since the year 2000, STC is a private defense contractor known for producing Unmanned Aerial Vehicles (UAVs) and Radio Frequency (RF) equipment for supply to the Russian military, as well as other government customers.
The company was one of several Russian companies subjected to sanctions by the Obama administration in December 2016 for being "complicit in malicious cyber-enabled activities" against the U.S..
The defense contractor is one of three companies sanctioned for providing material support to the Main Intelligence Directorate (GRU) for alleged interference in the 2016 U.S. presidential election.
The researchers said that STC has been developing a set of Android security apps that share codes and command and control servers with Monokle.
"Many of these applications are trojanized and include legitimate functionality, so user suspicion is not aroused. Lookout data indicates this tool is still being actively deployed," the report reads.
