A newly-publicised mobile malware has been linked to a Russian company that had sanctions imposed on it for alleged interference in the 2016 US presidential election.
The malware - a mobile surveillanceware called Monokle - is "sophisticated (and) possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks," according to a report by cyber security company Lookout.
One of the ways Monokle retrieves data is to use "Android's accessibility services to (obtain) data from third party applications and use predictive-text dictionaries to get a sense of the topics of interest to a target. Monokle will also attempt to record the screen during a screen unlock event so as to compromise a user’s PIN, pattern or password."
Monokle first came to the attention of Lookout in March, 2016. Later that year, President Obama imposed sanctions on the aforementioned Russian company, Special Technology Centre (STC), a "private defense contractor known for producing Unmanned Aerial Vehicles (UAVs) and Radio Frequency (RF) equipment for supply to the Russian military."
The report's findings have established links with STC because "(it) has been developing a set of Android security applications, including an antivirus solution, which share infrastructure with Monokle." According to an STC developer, these applications were developed for a "government customer".
Monokle (currently) only targets Android devices, with attacks on individuals limited to the Caucasus region (Armenia, Azerbaijan, Georgia and southern Russia). It's unsure how many people have been compromised by the malware and data indicates it is still being actively deployed.
