| Researchers July 24, 2019
July 24, 2019
By Adam Bauer, Apurva Kumar, Christoph Hebeisen
Monokle is a new and sophisticated set of custom Android surveillanceware tools developed by the Russia-based company, Special Technology Centre, Ltd, which was sanctioned by the U.S. Government in connection to interference in the 2016 US presidential elections.
Lookout discovered Monokle in 2018 and our research indicates that these tools are part of a targeted set of campaigns and are developed by the St. Petersburg, Russia-based company, Special Technology Centre, Ltd. (STC), which is notable for providing material support to the GRU in its interference in the 2016 U.S. Presidential election.
Monokle possesses remote access trojan (RAT) functionality, uses advanced data exfiltration techniques and has the ability to install an attacker-specified certificate to the trusted certificates store on an infected device that would facilitate man-in-the-middle (MITM) attacks. This ability is something that Lookout researchers have never seen in the wild before.
In late 2016, the amendment to Executive Order 13964 issued by then President Barack Obama, imposed sanctions on STC as one of three companies that provided material support to the Main Intelligence Directorate (GRU) for alleged interference in the 2016 U.S. presidential election. STC is a private defense contractor in Russia known for producing Unmanned Aerial Vehicles (UAVs) and Radio Frequency (RF) equipment for supply to the Russian military, as well as other government customers.
Lookout research shows that STC is developing both offensive and defensive Android security software, as it has discovered previously unknown mobile software development and surveillance capabilities. It is through STC’s connection to its own Android antivirus solution, called Defender, that Lookout can establish conclusively that STC is the developer of Monokle.
Monokle is a great example of the larger trend of enterprises and nation-states developing sophisticated mobile malware that we have observed over the years. Monokle is an advanced mobile surveillanceware that compromises a user’s privacy by stealing personal data stored on an infected device and exfiltrating this information to command and control infrastructure. While most of its functionality is typical of mobile surveillanceware, Monokle is a unique and advanced mobile surveillance tool because it:
Monokle appears in a very limited set of applications which implies attacks using Monokle are highly targeted. Many of these applications are trojanized and include legitimate functionality, so user suspicion is not aroused. Lookout data indicates this tool is still being actively deployed.
In 2015, Lookout and Citizen Lab reported on Pegasus, one of the most sophisticated nation-state mobile surveillanceware threats Lookout has discovered.. Since then, Lookout has reported on a number of advanced surveillance tools – from Stealth Mango to Dark Caracal – indicating that mobile surveillanceware is not only on the rise, but increasingly evolving with new and novel functions.
As we continue to move toward a post-perimeter world, nation-states and enterprises alike need to adopt a security structure that protects against the ever-evolving threat of mobile surveillanceware.
*Lookout customers have been protected against Monokle since early 2018.
Get more in-depth details about and analysis on Monokle, by downloading the technical report.
Adam BauerSenior Staff Security Intelligence Engineer
Apurva Kumar Staff Security Intelligence Engineer
Christoph HebeisenSenior Manager, App Security Intelligence