A new Android surveillance device that may be used by the Iranian government has been used to spy on more than 300 people belonging to a minority group.
Malware, dubbed BouldSpyhas been associated with moderate trust in the Law Enforcement Command of the Islamic Republic of Iran (COMFORT). Targeted victims included Iranian Kurds, Baluchis, Azeris and Armenian Christian groups.
“Spyware may also have been used in efforts to combat and monitor illegal trade in weapons, drugs and alcohol,” Lookout said saidbased on exfiltrated data containing photos of drugs, firearms, and official documents issued by FRAJA.
BouldSpy, like the rest of the Android malware family, abuses its access to Android’s accessibility services and other intrusive permissions to harvest sensitive data such as web browser history, photos, contact lists, SMS logs, keystrokes, screenshots, clipboard content, microphone audio, and calls. recording videos.
It should be noted that BouldSpy refers to the same Android malware codenamed Cyble DAAM in its own analysis last month.
The evidence gathered so far suggests that BouldSpy was installed on the target device via physical access, potentially being confiscated after containment. This theory is supported by the fact that the first locations collected from victims’ devices were mostly concentrated around Iran’s law enforcement agencies and border control posts.
The malware comes with a command-and-control (C2) panel to manage victims’ devices, not to mention creating new malicious apps masquerading as seemingly harmless apps such as benchmarking tools, currency converters, interest calculators, and the Psiphon sensor circumvention utility.
Other notable features include the ability to run additional code sent from the C2 server, receive commands via SMS messages, and even disable the battery management feature to prevent the device from killing spyware.
It further incorporates “unused and non-functional” ransomware components that borrow their implementation from the so-called open-source project CryDroidincreasing the likelihood that it is being actively developed or is a false flag raised by a threat actor.
“Once installed, the spyware will attempt to establish a network connection to its C2 server and extract any cached data from the victim’s device to the server,” said the Lookout researcher. “BouldSpy represents another surveillance tool that takes advantage of the personal nature of mobile devices.”