Iranian govt uses BouldSpy Android malware for internal surveillance operations

Iranian authorities have been spotted using the BouldSpy Android malware to spy on minorities and traffickers.

Researchers at the Lookout Threat Lab have discovered a new Android surveillance spyware, dubbed BouldSpy, that was used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

The researchers are tracking the spyware since March 2020, starting in 2023, multiple security experts [1,2] started monitoring its activity.

Despite BouldSpy spyware supports ransomware capabilities, Lookout researchers have yet to see the malicious code using them, a circumstance that suggests the malware is under development or it is a false flag used by its operators.

The analysis of exfiltrated data from C2 servers used by the spyware revealed that BouldSpy has been used to spy on more than 300 people, including minority groups such as Iranian Kurds, Baluchis, Azeris, and possibly Armenian Christian groups. The malware was likely used to counter and monitor illegal trafficking activity related to arms, drugs, and alcohol. 

“We believe FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy to further monitor the target on release. In our research, we obtained and reviewed a large quantity of exfiltrated data that included photos and device communications, such as screenshots of conversations, recordings of video calls, as well as SMS logs.” reads the report published by Lookout. “Our analysis also revealed photos of drugs, firearms, and official FARAJA documents that indicate potential law enforcement use of the malware. However, much of the victim data points to its broader usage, which indicates targeted surveillance efforts towards minorities within Iran.”

The researchers believe BouldSpy is a new malware family due to the relatively small number of samples they we’ve obtained. The experts also pointed out the lack of maturity for the operational security employed by the operators, such as unencrypted C2 traffic, hardcoded plaintext C2 infrastructure details, a lack of string obfuscation, and failure to conceal or remove intrusion artifacts.

The C2 panel allows operators to control infected devices and build custom BouldSpy applications that impersonate legitimate Android system services or that can trojanize various legitimate applications by inserting the “com.android.callservice” package. 

“Given the likelihood of physical installation as the initial vector for BouldSpy, it’s possible that BouldSpy victims had legitimate versions of these apps installed when their devices were confiscated, and that those apps were trojanized in order to avoid detection by the victim.” continues the report.

Below is a list of the surveillance capabilities supported by the spyware:

• Getting all account usernames available on the device and their associated types (such as Google, Telegram, WhatsApp and others)
• List of installed apps
• Browser history and bookmarks
• Live call recordings
• Call logs
• Take photos from the device cameras
• Contact lists
• Device information (IP address, SIM card information, Wi-Fi information, Android version, and device identifiers)
• List of all files and folders on the device
• Clipboard content
• Keylogs
• Location from GPS, network, or cell provider
• SMS messages (sent, received and drafts)
• Record audio from the microphone
• Take screenshots

Most of the activities conducted by the BouldSpy malware are performed in the background by abusing Android accessibility services.

The experts noticed that the spyware also relies on the CPU wake lock and disables battery management to prevent the OS from closing the process associated with the malware .

BouldSpy can also run arbitrary code, and download and run additional malicious payloads. The spyware can receive commands via C2 web traffic and via SMS messages.

The report published by Lookout also provides Indicators of Compromise (IoCs) for this threat.

Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

• The Teacher – Most Educational Blog
• The Entertainer – Most Entertaining Blog
• The Tech Whizz – Best Technical Blog
• Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BouldSpy spyware)