New Android surveillance ware possibly used by the Iranian government is being used to spy on over 300 individuals belonging to minority groups.
malware called bold spy, attributed with moderate confidence to the law enforcement command of the Islamic Republic of Iran (FARAJA). Targeted victims include Iranian Kurds, Baluchis and Azeris, and Armenian Christian groups.
Based on the stolen data, including photographs of drugs, firearms, and official documents issued by FARAJA, Lookout said:
BouldSpy, like other Android malware families, exploits access to Android’s accessibility services and other intrusion permissions to extract web browser history, photos, contact lists, SMS logs, keystrokes, screenshots, clipboards. collects sensitive data such as phone content, microphone audio, and video calls. recording.
It’s worth pointing out that BouldSpy refers to the same Android malware that Cyble codenamed DAAM in its own analysis last month.
Evidence collected so far indicates that BouldSpy can be installed on a target’s device via physical access and confiscated after detention. This theory is supported by the fact that the initial locations collected from victim devices are mostly concentrated in Iranian law enforcement and border controls.
The malware comes with a command and control (C2) panel to manage the victim’s device. Not to mention creating new malicious apps disguised as seemingly harmless apps such as benchmarking tools, currency converters, interest rate calculators, Psiphon censorship evasion utility, etc.
Learn how to stop ransomware with real-time protection
Join our webinar to learn how real-time MFA and service account protection can stop ransomware attacks.
Save my seat!
Other notable features include the ability to execute additional code sent by the C2 server, the ability to receive commands via SMS messages, and the ability to disable battery management features to prevent the device from terminating spyware. There is also a function to
Additionally, it incorporates an “unused and non-functioning” ransomware component whose implementation is borrowed from an open source project called CryDroid, which could be actively developed or a false flag planted by threat actors. higher.
“Once the spyware is installed, it establishes a network connection to the C2 server and attempts to exfiltrate data cached on the server from the victim’s device,” said Lookout researchers. “BouldSpy is yet another surveillance tool for him that takes advantage of the personal nature of his mobile device.”
