New 'highly targeted' mobile malware, dubbed 'Monokle', linked to Russian hackers

Researchers believe the malware was created by STC, a Russian company accused of interfering in the 2016 US presidential election

Security researchers have discovered a new "highly targeted" form of mobile malware with links to Russian cyber criminals.

Dubbed 'Monokle', the malware was discovered by cyber security firm Lookout and uses a range of custom Android surveillanceware tools.

Lookout claimed that its research indicates that these tools are part of a targeted set of campaigns and are developed by the St Petersburg, Russia-based company, Special Technology Centre (STC).

In 2016, STC was one of three companies to face sanctions imposed by former US President Barack Obama for allegedly interfering in the 2016 presidential election. The company predominantly develops drones and radio frequency equipment for the Russian military and employs 1,500 people.

STC has been developing a set of Android security applications, including an anti-virus solution, which share infrastructure with Monokle

Allegedly created by STC, Monokle targets an infected device before stealing personal data and exfiltrating it to a command and control infrastructure.

In a detailed report, researchers said: "While most of its functionality is typical of a mobile surveillanceware, Monokle is unique in that it uses existing methods in novel ways in order to be extremely effective at data exfiltration, even without root access."

Monokle uses Android accessibility services to take data from third-party applications and predictive-text dictionaries to identify target information.

What's even more concerning is that the malware is capable of recording a device's screen while it is being unlocked, allowing attackers to change a user's PIN, pattern or password.

The researchers continued: "Monokle appears in a very limited set of applications which implies attacks using Monokle are highly targeted. Many of these applications are Trojanized and include legitimate functionality, so user suspicion is not aroused."

Based on its research data, Lookout believes that the tool is still being actively deployed by threat actors.

The report adds: "Lookout is able to link STC to Monokle because it has also discovered that STC has been developing a set of Android security applications, including an anti-virus solution, which share infrastructure with Monokle."