The Law Enforcement Command of the Islamic Republic of Iran (FARAJA) has been discovered using a new Android spyware called BouldSpy to monitor minority groups and potential traffickers. The spyware was discovered by researchers at the Lookout Threat Lab in March 2020, and has since been tracked by multiple security experts.
Although the BouldSpy spyware supports ransomware capabilities, Lookout researchers have not seen the malware use them, which suggests that it is still under development or is being used as a false flag by its operators.
BouldSpy has been used to spy on over 300 people, including Iranian Kurds, Baluchis, Azeris, and possibly Armenian Christian groups. The malware was likely used to monitor illegal trafficking activity related to arms, drugs, and alcohol. The Lookout report suggests that FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy and further monitor the target upon release.
The report provides a list of surveillance capabilities supported by the spyware, including account usernames, installed apps, browser history, live call recordings, call logs, photos from device cameras, device information, file lists, clipboard content, keylogs, location information, SMS messages, audio recordings, and screenshots.
The experts believe BouldSpy is a new malware family due to the relatively small number of samples they have obtained. The report also points out the lack of maturity in operational security employed by the operators, such as unencrypted C2 traffic, hardcoded plaintext C2 infrastructure details, and a lack of string obfuscation. The spyware can run arbitrary code, download and run additional payloads, and receive commands via C2 web traffic and SMS messages.
Most of the activities performed by the malware are done in the background by abusing Android accessibility services. The spyware also relies on the CPU wake lock and disables battery management to prevent the OS from closing the process associated with the malware.
Overall, the report by Lookout provides insights into the tactics used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA) to monitor potential threats and minority groups.
The BouldSpy spyware appears to be a new malware family and has not yet reached its full potential. The lack of maturity in operational security employed by the operators suggests that there is a possibility of detection and that the malware is still in development.
The report provides Indicators of Compromise (IoCs) for the BouldSpy spyware, which can help organizations to detect and mitigate the threat.
