A new Android surveillance tool spotted by mobile security experts at Zimperium is attributed to law enforcement agencies of the Islamic Republic of Iran (FARAJA).
The mobile malware, called BouldSpy, is being used by attackers to target minority groups and people who may be involved in illegal human trafficking activities, according to an advisory the company released Wednesday. and.
“BouldSpy has extensive surveillance capabilities such as recording calls, capturing photos, monitoring account usernames on various platforms,” explains Zimperium security researcher Nicolás Chiaraviglio.
BouldSpy turns off battery management and establishes a CPU wake lock to keep your application alive, while at the same time leveraging Android Accessibility Services to perform most monitoring actions.
“By exploiting CPU wake locks and disabling battery management features, spyware prevents the device from shutting down activity and drains the victim’s battery faster,” Chiaraviglio explains.
Once installed, BouldSpy establishes network connections with its command and control (C2) servers and exfiltrates cached data from the victim’s device. A background service manages most of the monitoring functionality and restarts itself when its parent activity is stopped by the user or the Android system. ”
Read more about Android malware here: New Android Banking Trojan ‘Nexus’ Advertised as MaaS
Zimperium warns that BouldSpy is highly dangerous to both individuals and the general public due to its advanced surveillance capabilities.
“Targeted surveillance of minority groups within Iran could lead to further discrimination and oppression, amplifying existing social and political tensions,” Chiaravirio wrote.
As of this writing, Zimperium has observed a limited number of BouldSpy samples, all distributed outside of the Google Play Store via third-party services.
“Because this spyware is not distributed through Google Play, it is more difficult for users to identify and avoid. Additionally, this presents the danger of sideloading applications from unknown third-party sources. We are doing it,” said Chiaraviglio.
The Zimperium advisory comes weeks after a threat actor known as Mint Sandstorm was observed weaponizing an N-day vulnerability targeting critical infrastructure in the United States.
