Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

ID: S0407
Type: MALWARE
Platforms: Android
Contributors: Jörg Abraham, EclecticIQ
Version: 1.2
Created: 04 September 2019
Last Modified: 01 November 2021

Techniques Used

Domain ID Name Use
Mobile T1640 Account Access Removal

Monokle can reset the user's password/PIN.[1]

Mobile T1638 Adversary-in-the-Middle

Monokle can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.[2]

Mobile T1429 Audio Capture

Monokle can record audio from the device's microphone and can record phone calls, specifying the output audio quality.[1]

Mobile T1616 Call Control

Monokle can be controlled via phone call from a set of "control phones."[1]

Mobile T1645 Compromise Client Software Binary

Monokle can remount the system partition as read/write to install attacker-specified certificates.[1]

Mobile T1533 Data from Local System

Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.[1]

Mobile T1617 Hooking

Monokle can hook itself to appear invisible to the Process Manager.[1]

Mobile T1630 .002 Indicator Removal on Host: File Deletion

Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.[1]

Mobile T1544 Ingress Tool Transfer

Monokle can download attacker-specified files.[1]

Mobile T1417 .001 Input Capture: Keylogging

Monokle can record the user's keystrokes.[1]

Mobile T1430 Location Tracking

Monokle can track the device's location.[1]

Mobile T1406 Obfuscated Files or Information

Monokle uses XOR to obfuscate its second stage binary.[1]

Mobile T1644 Out of Band Data

Monokle can be controlled via email and SMS from a set of "control phones."[1]

Mobile T1636 .001 Protected User Data: Calendar Entries

Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.[1]

.002 Protected User Data: Call Log

Monokle can retrieve call history.[1]

.003 Protected User Data: Contact List

Monokle can retrieve the device's contact list.[1]

Mobile T1513 Screen Capture

Monokle can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. Monokle can also abuse accessibility features to read the screen to capture data from a large number of popular applications.[1]

Mobile T1418 Software Discovery

Monokle can list applications installed on the device.[1]

Mobile T1426 System Information Discovery

Monokle queries the device for metadata such as make, model, and power levels.[1]

Mobile T1422 System Network Configuration Discovery

Monokle checks if the device is connected via Wi-Fi or mobile data.[1]

Mobile T1421 System Network Connections Discovery

Monokle can retrieve nearby cell tower and Wi-Fi network information.[1]

Mobile T1512 Video Capture

Monokle can take photos and videos.[1]

References