BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Iranian Android malware BouldSpy is actively used for cyber espionage purposes

    Mobile cybersecurity firm Lookout recently analyzed a piece of Android spyware allegedly used by the Iranian government to monitor minority groups in the country and track arms, alcohol and drug trafficking. Dubbed BouldSpy, the malware was likely installed by Iranian law enforcement using direct physical access to the victims' devices, allegedly obtained during their detention.

    The investigated spyware has been in use since at least 2020. To date, more than 300 victims have been identified. The data obtained during the study also indicate the potential use of the BouldSpy program to combat and monitor human trafficking. However, even despite the good intentions of law enforcement officers, their actions can hardly be called legal.

    The malware control panel allows Iranian operators to control victims' mobile devices, and the application itself can take on the appearance of any popular application while maintaining its full functionality.

    “Given the likelihood of physical installation as the starting vector for BouldSpy, it is likely that BouldSpy victims already had legitimate versions of these applications installed. And when their devices were confiscated, these applications were trojanized to avoid accidental discovery by the victim,” Lookout researchers note.

    On infected devices, BouldSpy may collect credentials, a list of installed applications, browser data, call logs, clipboard contents, contact lists, device information, a list of files and folders, and SMS messages.

    The malware also allows operators to record phone calls, take photos with the phone's camera, log keystrokes, locate the device, record audio, and take screenshots. In addition, BouldSpy can record victims' voice calls through various Voice over VoIP applications common within Iran.

    BouldSpy performs its malicious activities in the background by abusing Android accessibility services. The spyware also disables smart power saving to prevent the device from ending the BouldSpy process. But even if this happens, the malware will definitely start again after the smartphone is rebooted, as it is registered in the system autorun.

    Spyware can receive C2 commands via web traffic and via SMS messages. Although it encrypts files for exfiltration, the C2 traffic itself is not encrypted in any way, which allowed the researchers to detect and intercept it.

    BouldSpy also contains ransomware code borrowed from the CryDroid open source project, but Lookout believes that this code is currently not used in any way.

    Author DeepWeb
    Tor Project and ProtonMail call on governments around the world to stop weakening encryption on the Internet
    White Phoenix: A powerful decryptor that recovers data from ransomware attacks

    Comments 0

    Add comment