HQ/EMEAFind out how we can help your business
The Android devices of several Iranian protesters were discovered by researchers carrying the l3mon spyware. According to researchers, the payload contained all abilities that could be executing spying campaigns.
The researchers acquired a copy of l3mon and noted that it has previously spread on different forums and platforms such as Telegram.
Based on reports, l3mon is well-known spyware among threat groups for stealing information such as IDs, credit card details, and passwords. This payload is commonly disseminated through compromised links, malicious emails, or internet platforms.
This entity could also use authentic apps on Google Play Store as a vector for propagation. Moreover, it can also be installed by the backdoor in computers and virtual servers to infect cloud users.
The l3mon spyware is cloud-based and developed by its authors through JavaScript.
The designers of the l3mon spyware created their payload as a cloud-based entity. It also uses the nodeJS landscape and is identified by researchers as open-source software.
A Persian researcher claimed that hackers triggered the spyware on the devices of the protestors on a German server. Furthermore, the actors out of Iran exfiltrated the information from the victim’s devices.
Hence, the Iranian government is worried about its national security and civilians since the threat actors may have acquired tools for surveying Iranians.
Research revealed that if the spyware infects a phone, it could enable attackers to access the call logs, internet connection, contact lists, audio conversations, and SMS sent or received by the victim. Additionally, the l3mon spyware could record audio, ping the device’s current location, install apps, monitor the typed words, and access the notification lists of the compromised phone.
Cybersecurity experts urge affected and unaffected Iranian Android users to employ preventive measures and install competent AV software to mitigate the effects of spyware. The researchers also explained that the spyware could be hiding in the installed applications, which could cause the fast drainage of the compromised phone battery.
Some researchers advise that infected phones should be factory reset to eliminate the spyware hiding behind malicious applications.
As of now, the current spread of the l3mon malware raises significant concern for the Iranian government since this campaign could lead to more dangerous attacks soon.
