Dubbed Monokle, the malware can “exfiltrate data from third party applications by reading text displayed on a device’s screen at any point in time,” the report said.
Monokle seeks root access, the most privileged level of control. When it achieves that access its able to overwrite security certificates to intercept—and potentially change— incoming and outgoing information, sometimes called a man-in-the-middle attack. But it can operate and steal data even when it can’t access root (because of systtem configuration.) “This allows the software to be incredibly flexible and useful in multiple operational scenarios,” they note.
The researchers first spotted Monokle in 2016, and have seen it pop up in the wild. But they’ve also seen it as part of highly targeted campaigns, one aimed at Muslim men in the Caucasus region and another at people interested in Syria’s Ahrar al-Sham group, one of the Islamic militant groups fighting the Assad regime. These efforts peaked in 2018, simultaneous with heavy Russian military action against anti-Assad groups.
Lookout determined that Monokle was developed by the Russian Special Technology Center, a group linked to the GRU, Russia’s military intelligence agency. The group was sanctioned by the U.S. government for its role in the 2016 attack on the U.S. presidential election. The evidence? Some of the developers known to work for the STC literally signed their work.
“While conducting this investigation, Lookout researchers came across a number of potential developer names that appear to be linked to Monokle or software connected to STC. Some of these leads provided Lookout with the evidence to link development operations within STC to IOCs [indicators of compromise] associated with Monokle,” they write.
Lookout reports that the STC is hiding the malware in fake “trojanized” versions of many popular apps, and some less popular ones to appeal to specific target groups.