Sanctions-hit Russian developers fingered for crafting 'Monokle' Android snoopware

A Russian software developer, currently under American sanctions for its purported role in the Kremlin's interference with the 2016 US elections, is now selling spyware to governments.

Researchers at security house Lookout today reported [PDF] that St Petersburg-based Special Technology Centre (STC) is developing and maintaining a commercial spyware tool known as Monokle.

STC was among the Russian businesses hit last year with US economic sanctions for their supporting role in the GRU's election-meddling efforts. The Russian tech firm is said to have its hands in a number of fields, including UAVs, radio equipment and, now, surveillance software.

Monokle targets Android devices by being added as a hidden payload in seemingly legitimate apps like Google Play or Skype. Most recently, Lookout says, the malware has used the names and icons of apps popular in Syria and the Caucasus regions in an effort to keep an eye on groups in those areas.

Once installed Monokle launches a wide range of surveillance tools including remote-access backdoors, certificate installers to allow for man-in-the-middle attacks, and functions that gather the personal data of the target.

"While most of its functionality is typical of a mobile surveillanceware, Monokle is unique in that it uses existing methods in novel ways in order to be extremely effective at data exfiltration, even without root access," Lookout notes.

"Among other things, Monokle makes extensive use of the Android accessibility services to exfiltrate data from third party applications and uses predictive-text dictionaries to get a sense of the topics of interest to a target. Monokle will also attempt to record the screen during a screen unlock event so as to compromise a user’s PIN, pattern or password."

Phuck off, phishers! JPMorgan Chase crafts AI to sniff out malware menacing staff networks

READ MORE

Monokle is also just the tip of the iceberg for STC's mobile operations. Lookout's team said it found evidence that an iOS version of the spyware is in development along with a set of security tools STC is pitching to governments alongside the spyware.

"According to our research, although STC has never publicly marketed their Android security suite, it is clear that STC is producing this software and that it is intended for government customers," Lookout said.

"Multiple Android developer positions have been advertised by STC on popular Russian job search sites in St Petersburg and Moscow. The positions require both Android and iOS experience and advertise working on a native antivirus solution for Android."

The dual offerings make sense enough. Who better to protect you from targeted, government-backed malware than a company that develops it on the side? ®