Monokle is not a new infection, but malware researchers have recorded its resurgence lately. It is believed that this malicious infection was built back in 2015 and that it started spreading across devices in 2016. Clearly, no one has been able to stop this infection, and it is not even clear who is responsible for it. According to the recent report by Lookout, it is likely that a Russian-based company called STC (Special Technology Center) is behind this spyware, but it is currently impossible to prove it. In any case, this malware is active, and it can be extremely dangerous, which is why it is important to talk about it once again. The only good news we have is that this spyware is unlikely to attack people randomly. Instead, it is more likely to be used in targeted attacks.
The proliferation of Monokle is truly smart. The attackers behind this threat spread it using Trojanized apps that appear like legitimate or well-known apps. Back in 2016, an app called “Ahrar Maps” was employed, and, most likely, it was created to target people in Syria in the midst of the Civil War. Since then, apps with the logos of Skype, Evernote, Google Play, Android, Pornhub, Google, and many other well-known brands and apps have been employed. These can be introduced to Android users on any app store, but it is likely that less popular sources are used in most cases. If the targeted users are tricked into downloading the infected application, the attackers gain the power to extract insane amounts of highly sensitive information, which the attackers can sell, use to take over accounts, impersonate the victims online, and spy on them.
Once the malicious Monokle is settled, it can initiate many malicious processes. One thing that makes it quite unique is that it can install trusted certificates and exfiltrate sensitive data, which might include words from predictive text input. Monokle can also hide itself from the Process Manager to ensure that the victim cannot detect and remove it right away. It can read calendar events to check for event locations, times, and descriptions. It can receive out-of-band SMS messages and make outgoing calls. It can even record calls. Furthermore, the infection can record audio to spy on the infected device’s user, and reset their PIN code to prevent them from accessing the device. Monokle can record keystrokes and capture screenshots to gather sensitive data, exfiltrate contact details, read e-mails, take videos and photos, track the device’s location, read browsing history, and delete files.
Monokle also has the function that allows it to gain access to instant messaging apps and then read the messages that the victim is sent. Some of the apps that the threat specifically targets include Facebook Messenger, imo, Instagram, Line, Skype, Snapchat, WeChat, WhatsApp, Viber, and VK. Ultimately, if Monokle lands on the device, and if the victim does not detect and delete it right away – which is unlikely to happen due to the stealthy nature of this malware – they can fall under constant surveillance. Unfortunately, both virtual and physical livelihood of the targeted victims can be threatened, and that is what makes Monokle one of the most dangerous Android threats out in the wild today.
It is not easy to remove Monokle once it roots into the device, and it might be easier to switch to a new device if possible. Overall, preventing this malware from slithering in is always easier than getting rid of it, and simple commonsense can help you avoid this infection. First and foremost, do NOT trust unfamiliar app stores that do not have a good reputation. You would be asking for trouble by trusting them. If you need to download a new Android app, go to Google Play. This is your safest bet. That being said, before you install the app, you want to research it first. Also, you have to beware of fake lookalikes that might take on similar names and familiar logos to trick you into downloading malware. Finally, use your head, and if anything ever feels strange or out of order, do not make any hasty moves that you would regret in the future.
Bauer, A., Hebeisen, C., Kumar, A., and Murray, M. July 2019. Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Lookout.