Be careful what apps you download, especially if you are in the Caucasus. Someone is packaging powerful malware in fake versions of popular Andriod applications such as Skype, Signal, and PornHub, according to a report released Wednesday by the Lookout cybersecurity firm. 

Dubbed Monokle, the malware can “exfiltrate data from third party applications by reading text displayed on a device’s screen at any point in time,” the report said. 

Monokle seeks  root access, the most privileged level of control. When it achieves that access its able to overwrite security certificates to intercept—and potentially change— incoming and outgoing information, sometimes called a man-in-the-middle attack. But it can operate and steal data even when it can’t access root (because of systtem configuration.) “This allows the software to be incredibly flexible and useful in multiple operational scenarios,” they note. If it can gain access to root, 

The researchers first spotted Monokle in 2016, and have seen it pop up in the wild. But they’ve also seen it as part of a highly targeted campaigns, one aimed at Muslim men in the Caucasus region and another at people interested in Syria’s Ahrar al-Sham group, one of the Islamic militant groups fighting the Assad regime. These efforts peaked in 2018, simultaneous to heavy Russian military action against anti-Assad groups. 

Read More...