- AI-Assisted Attacks Top Cyber Threat For Third Consecutive Quarter, Gartner Finds
- Business in the age of AI: From economies of scale to ecosystems of success
- The best Black Friday gaming PC deals 2024: Early sales live now
- The best Black Friday streaming deals 2024: Early sales available now
- One of the best E Ink readers I've tested isn't made by Boox or Kobo
Android Spyware BouldSpy Linked to Iranian Government
A new Android surveillance tool discovered by mobile security experts at Zimperium has been attributed to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).
Called BouldSpy, the mobile malware has been used by threat actors to target minority groups and potentially those involved in illegal trafficking activities, according to an advisory published by the company on Wednesday.
“BouldSpy has extensive surveillance capabilities, such as recording calls, capturing photos, and monitoring account usernames across various platforms,” explained Zimperium security researcher Nicolás Chiaraviglio.
BouldSpy keeps its application alive by turning off battery management and establishing CPU wake locks while simultaneously leveraging Android accessibility services to perform most of its surveillance actions.
“By abusing CPU wake locks and disabling battery management features, the spyware prevents the device from shutting down its activities, causing faster battery drainage for victims,” Chiaraviglio explained.
“Once installed, BouldSpy establishes a network connection with its command and control (C2) server, and exfiltrates cached data from the victim’s device. A background service manages most of the surveillance functionality and restarts itself when its parent activity is stopped by either the user or the Android system.”
Read more on Android malware here: New Android Banking Trojan’Nexus’ Promoted As MaaS
Zimperium has cautioned that BouldSpy is highly risky to both individuals and the general public due to its advanced surveillance capabilities.
“The targeted surveillance of minority groups within Iran may lead to further discrimination and suppression, amplifying existing social and political tensions,” Chiaraviglio wrote.
At the time of writing, Zimperium has observed a limited number of BouldSpy samples, all distributed outside the Google Play Store via third-party services.
“The spyware has not been distributed through Google Play, making it more challenging for users to identify and avoid. Moreover, this shows the danger of sideloading applications from unknown third-party sources,” Chiaraviglio said.
The Zimperium advisory comes weeks after the threat actor known as Mint Sandstorm was observed weaponizing N-day vulnerabilities to target US critical infrastructure.