HQ/EMEAFind out how we can help your business
Reports revealed that the Iranian government have been leveraging the BouldSpy Android malware to eavesdrop and spy on targeted minorities and traffickers. Researchers stated that the spyware is malware allegedly installed by a law enforcement agency in Iran through physical access to a targeted individual, supposedly acquired during detention.
The spyware has been allegedly operating since two years ago, with over 300 victims confirmed to present data. The affected groups are likely Armenian Christian groups, Iranian Kurds, Baluchis, and Azeris. Further proof suggests that Iranian authorities use spyware to prevent and monitor trafficking incidents.
The malware’s C2 panel enables its operators to manage victim machines and generate custom BouldSpy apps that impersonate Android system services, a currency converter, a prank application, an interest calculator, a mobile CPU benchmarking tool CPU-Z, and a VPN application.
The BouldSpy Android malware could harvest troves of data on an infected device.
Based on reports, the BouldSpy Android malware could collect troves of information, such as account usernames and associated services, browser data, clipboard content, installed apps, contact lists, device information, SMS messages, and a list of archives and folders.
The spyware could also allow its operators to record phone calls, capture photos using the infected device’s camera, locate the device, record audio, log keystrokes, and take screenshots. In addition, the malware could record voice calls over multiple VoIP apps.
Furthermore, BouldSpy executes its malicious activities in the background by leveraging the Android accessibility services once a user opens one of the targeted apps. The spyware also deactivates battery management to obstruct the device from closing its process.
The threat could recover commands via command-and-control web traffic and SMS messages. The malware does not encrypt C2 traffic, although it encrypts the files that will undergo exfiltration.
BouldSpy could also operate arbitrary code, download, and run additional code received from command-and-control, and could start code within other apps.
The malware contains ransomware code traced from an open-source project, but researchers claim that the borrowed code is nonfunctional. This detail implies that the BouldSpy Android malware could develop ransomware capabilities for future use.
