BouldSpy Android Spyware: Iranian Government’s Alleged Tool for Spying on Minority Groups

BouldSpy Android Spyware

A new Android surveillanceware possibly used by the Iranian government has been used to spy on over 300 individuals belonging to minority groups.

The malware, dubbed BouldSpy, has been attributed with moderate confidence to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). Targeted victims include Iranian Kurds, Baluchis, Azeris, and Armenian Christian groups.

“The spyware may also have been used in efforts to counter and monitor illegal trafficking activity related to arms, drugs, and alcohol,” Lookout said, based on exfiltrated data that contained photos of drugs, firearms, and official documents issued by FARAJA.

BouldSpy, like other Android malware families, abuses its access to Android’s accessibility services and other intrusive permissions to harvest sensitive data such as web browser history, photos, contact lists, SMS logs, keystrokes, screenshots, clipboard content, microphone audio, and video call recordings.

It’s worth pointing out that BouldSpy refers to the same Android malware that Cyble codenamed DAAM in its own analysis last month.

BouldSpy Android Spyware

Evidence gathered so far points to BouldSpy being installed on targets’ devices via physical access, potentially confiscated after detention. This theory is bolstered by the fact that the first locations gathered from victim devices are mostly concentrated around Iranian law enforcement establishments and border control posts.

The malware comes alongside a command-and-control (C2) panel to manage victim devices, not to mention create new malicious apps that masquerade as seemingly innocuous apps like benchmarking tools, currency converters, interest calculators, and the Psiphon censorship circumvention utility.

Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

Save My Seat!

Other noteworthy features comprise its ability to run additional code sent from the C2 server, receive commands through SMS messages, and even disable battery management features to prevent the device from terminating the spyware.

It further incorporates an “unused and nonfunctional” ransomware component that borrows its implementation from an open source project called CryDroid, raising the possibility that it’s being actively developed or is a false flag planted by the threat actor.

“Once installed, the spyware will seek to establish a network connection to its C2 server and exfiltrate any cached data from the victim’s device to the server,” Lookout researchers said. “BouldSpy represents yet another surveillance tool taking advantage of the personal nature of mobile devices.”



Original Source


 

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn