Fake Skype, Signal Apps Used to Spread Surveillanceware


Threat groups are increasingly relying on trojanized apps pretending to be legitimate – such as Skype or Signal – but are really spreading surveillanceware.

Cybercriminals are increasingly peddling booby-trapped version of popular apps such as Skype and Signal that contain surveillanceware.

Apurva Kumar, security intelligence engineer at Lookout, said that one such surveillanceware family that’s been spotted using this tactic is Monokle, a sophisticated set of custom Android surveillanceware.

Kumar said, looking forward at 2020, she’s seeing a steady increase in sophistication of threat actors distributing surveilleanceware – particularly as they rely more on device exploits.

“Threats are starting to move away from simple installation of applications and starting to move more onto the device and device exploitation side,” she said. “So definitely, as always, there will always be an increase in sophistication and complexity of these actors as they try to find new and novel ways of getting onto their targets’ device.”

See the full video interview below.

For a lightly edited transcript of the video see below.

Lindsey O’Donnell Welch: Hi, everyone, this is Lindsey O’Donnell Welch with Threatpost, and I’m here today at the RSA conference joined by Apurva Kumar, [security intelligence engineer at Lookout]. Thank you for joining us today. How is your RSA going?

Apurva Kumar: It’s going pretty well. It’s hugely exciting to be here for only the second time. So last year, I was also a speaker. It’s definitely less overwhelming and much more time to enjoy the atmosphere and the people.

Lindsey O’Donnell Welch: Well, you’re with Lookout. And Lookout had a really interesting session at the RSA conference about surveillanceware and specifically a new surveillanceware called Monokle that you had discovered. Can you talk a little bit about what that surveillanceware is and maybe just kind of walk us through how you first discovered it?

Apurva Kumar: Sure. So Monakle is is a professionally developed piece of Android surveillanceware. We came upon it in early 2018. And at that time, we didn’t actually know its significance. And this happens all the time really like, we were looking for Android and iOS surveillanceware and we can happened across something. And with Monakle, we just happened to look at it again a few months later, when it started increasing in activity. And then we were able to draw a couple of conclusions as to who the developer might be, and perhaps who it may be targeting.

So it turned out to be actually a quite an exciting story, and one that was involved lots of late nights, and lots of fun. But yeah, I’m very happy to speak about it here at RSA with my colleague, Adam Bauer. So we’re security researchers. And we spent quite a bit of time looking at the family trying to track down who was using it and who was developing it. And that’s all in our talk.

Lindsey O’Donnell Welch: What are you seeing when you’re first coming across surveillanceware? And how do you first kind of begin to start tracking it?

Apurva Kumar: Yeah, we start to look at capabilities first. So we look for applications that have suspect capabilities. So things like whether they’re accessing contacts and SMS, and video and photo. So sort of, in Android, you call them sort of dangerous permissions. And so we start there, and we look deeper into the code. And when we come across something that perhaps the title or the functionality of the application is not in line with the permissions that it’s looking for, that is usually something that raises red flags. Also, another technique is using trojan applications, which Monokle does use, and that’s basically they take a legitimate application, unpack it, inject some malicious functionality and then repackage it and perhaps spread it using, I don’t know, maybe some social engineering technique like phishing or something like that, and then market it to whoever or put it in front of the person who they may want to target. And then, because it’s familiar, so it gets packaged as something like, for example, Monakle was packaged as apps like Signal or Skype, so it may be a well known application, so it becomes easier for the user to want to install it, and then they get infected with the malware. So we usually hunt for these things using those sorts of capabilities.

Lindsey O’Donnell Welch: Right, and that’s, I was gonna ask to kind of how they initially infected, you know, potential victims. So it sounds like they are kind of looking towards, you know, maybe more trusted applications as a, like a platform to be distributed is that where you’re seeing?

Apurva Kumar: For Monokle specifically I have to say that we don’t exactly know how. But looking at our experience of trojanized applications, because they mimic well known applications, it’s a safe bet to say that they’re trying to get a user to trust them, or reduce suspicion from an application that’s installed. And whenever somebody does that, usually some type of social engineering is involved. So something like they would befriend a person or they would send an SMS or a message through a secure messaging application, saying, “hey, install this application, it’s safe” or “I want to talk to you further,”  basically trying to entice the user into letting their guard down and installing an unwanted application. So that’s one way of doing it. And we do have evidence that it is possible that a certain amount of physical access with the device may have been in store for targets off Monokle, so there may have been some physical – and the way that we draw that distinction is because there’s a capability within Monokle that allows a attacker to record a screen unlock. And so there’s two reasons why somebody would want to do that. They’d want to know your password to unlock your phone if they had access to your phone. And perhaps if you reuse that pin elsewhere, and things like that, so that may suggest that they may have physical access to the device. We don’t know yet for sure, though.

Lindsey O’Donnell Welch: right. That’s a interesting track too, I mean, say you reuse like your pin for your banking, you know, as a banking credential or something so neat little trick there. So I’m curious to how does how does Monokle compare to you know, Pegasus or some of the other spyware types of strains that we’re seeing over the past year? Are there any kind of key differentiators that really stuck out to you?

Apurva Kumar: Well, it is similar in a lot of ways. So all surveillanceware on Android or iOS has a set of capabilities like they know what they want to do. They want to take all your data and figure out exactly who you’re talking to. That’s really what surveillance is about. So in that way, they’re almost always similar. Monocle did a lot of things that were unique to it. And there is evidence that Monokle might be using some sort of exploitation techniques. So for example, you’re drawing the distinction between Monokle and Pegasus. So Pegasus was known for using a zero day or a couple of zero days to exploit a device and then gain access to it. So we haven’t actually ourselves seen any exploit used. But the way that Monokle is built, it’s actually, probably able to make use of those sorts of things, so it can function with root and without root. And that shows that the developer or the attacker may actually have access to an exploitation technique in order to use that functionality.

Lindsey O’Donnell Welch: Yeah, that’s really interesting. And part of your threat intel research to kind of focused in on who was really behind Monokle and you had some really interesting kind of takeaways there. What did you find?

Apurva Kumar: So we found after quite a bit of investigation, and after looking at Monokle for a couple of times, we found that the developer of Monokle is almost certainly a Russian defense contractor by the name of Special Technology Center or STC. And this developer appears to have a very good or very advanced Android development pipeline, they are most likely producing a number of different applications, Android apps, both on the defensive side and the offensive side. So they produce some defensive security solutions that are like basically an antivirus, as well, as a surveillanceware which we found called Monokle. So, yeah. I guess the STC is also well known or may have been heard of before, because it was sanctioned by the Obama administration in 2016 for election interference. So that’s where people may have heard the name before.

Lindsey O’Donnell Welch: Looking at some of the other kind of groups like NSO Group and some of the other ones, I feel like there is a certain air of trying to be legitimate, but actually, you know, in the background, like distributing some of these malware strains. So I wanted to ask before we wrap up, is there any trends in surveillanceware in 2020 that we should really be on the lookout for?

Apurva Kumar: Well in general, what we’ve seen is that there’s a steady increase in sophistication of these actors. Threats are starting to move away from simple installation of applications and starting to move more onto the device and device exploitation side. So definitely, as always, there will always be an increase in sophistication and complexity of these actors as they try to find new and novel ways of getting onto their targets’ device. But also, an interesting trend that I’ve seen is the use of commodity commercial off-the-shelf software to achieve the same purpose. So there are threat actors in general out there in the world that have relatively low sophisticated targets. So their targets are generally people who may not be perhaps well educated on the technical side, or understand technology all too well. And those the best targets for less sophisticated malware and by and large, what we’ve seen is that that’s a larger market, just because there are a lot more people like that. And it’s also easier to infect them. And there’s a lot more examples of that. So, and it’s also cheaper to get, the tools are always cheaper as well. So not only are we going to see a sophistication on the higher end of the spectrum, but on the lower end, commodity off-the-shelf, software or surveillanceware, things that are dubbed these days as stalkerware or spouseware are also used as threats to achieve the same purpose.

Lindsey O’Donnell Welch:  Right and sometimes those are even sold as you know, services to track your kids and track your employees and things like that. So that makes it even more difficult to track, definitely something to look out for in 2020. So, thank you so much for coming on and talking to us today at RSA.

Apurva Kumar:Thank you very much.

Lindsey O’Donnell Welch: Great and have a great rest of your show.

Apurva Kumar: Thank you. You too.

Suggested articles