New Android spyware, BouldSpy detected recently by Lookout Threat Lab, linked with moderate certainty to Iran’s Law Enforcement Command of the Islamic Republic of Iran.
Named after its configuration class, “BoulderApplication,” BouldSpy has been under their surveillance since March 2020 due to its command and control (C2) capabilities.
In 2023, security researchers on Twitter and in the threat intelligence community began focusing on this new Android malware, which has been identified as:-
Botnet
Ransomware
Lookout’s researchers speculate that the ransomware code present in BouldSpy is not operational and remains inactive.
Either the threat actor is still actively working on it, or they are attempting to mislead investigators, which is a possibility based on the presence of the ransomware code in BouldSpy.
Lookout’s analysis of exfiltrated data from BouldSpy’s command and control (C2) servers reveals that the spyware has targeted over 300 individuals, including groups like:-
Iranian Kurds
Baluchis
Azeris
Armenian Christian groups
On release, FARAJA installs BouldSpy to further monitor the target using physical access they likely acquired during detention.
Although drug and firearm images alongside official FARAJA documents imply that law enforcement may have utilized the malware, the information obtained from the victims’ data points towards more extensive use, such as targeted surveillance of minority groups in Iran.
While apart from this, during the peak of the Mahsa Amini protests in late 2022, a significant proportion of the malware’s operations were observed.
Technical analysis
Given the limited number of samples available to security researchers and the lack of maturity regarding its operational security, it is presumed that BouldSpy is a novel malware strain.
The absence of the following key features serves as additional evidence of its novelty:-
Unencrypted C2 traffic
Hardcoded plaintext C2 infrastructure details
Lack of string obfuscation
Inability to remove intrusion artifacts
BouldSpy’s espionage activities occur primarily in the background, taking advantage of Android accessibility services to do so.
Moreover, it mainly depends on creating a CPU wake lock and deactivating battery management functionality to ensure that the spyware’s operations continue uninterrupted, without the device shutting down.
This in turn caused victims to experience a much faster draining of their device batteries than usual as a result of the attacks.
Now from the victim’s device to extract the cached data to the C2 server the spyware establishes a network connection to its C2 server just after getting installed on the target system.
BouldSpy can encrypt files for exfiltration, but communication between victim devices and the C2 takes place over unencrypted web traffic.
The threat actor’s insecure implementation exposes the entire C2 communication in clear text, simplifying network analysis and detection.
The following are the IP addresses of the BouldSpy C2 servers that Lookout has found:-
192.99.251[.]51
192.99.251[.]50
192.99.251[.]49
192.99.251[.]54
84.234.96[.]117
149.56.92[.]127
Here below we have mentioned the types of data of the victim that are found during the analysis of these servers:-
66,000 call logs
15,000 installed apps
100,000 contacts
3,700 user accounts
3,000 downloaded files
9,000 keylogs
900 locations
400,000 text messages
2,500 photos
Deployment and capabilities
The C2 panel of FARAJA’s threat actor provides a user-friendly interface that allows for the management of victims’ devices, as well as the development of custom BouldSpy malware applications.
The malware operator has the option to choose between a default package name of “com. android. call service” which is designed to appear as an Android system service managing phone calls or to integrate the “com. android. call service” package into several genuine applications.
BouldSpy imitates the following applications:-
CPU-Z
Interest Calculator
Currency Converter Pro
Fake Call
Call Service
Psiphon
Here below we have mentioned all the surveillance capabilities:-
Get the usernames and types of all accounts on the device.
List of installed apps
Browser history and bookmarks
Live call recordings
Call logs
Take photos from the device cameras
Contact lists
IP address
SIM card information
Wi-Fi information
Android version
Device identifiers
List of all files on the device
List of all folders on the device
Clipboard content
Keyloggers
The location from GPS, network, or cell provider
SMS messages
Record audio from the microphone
Take screenshots
Record voice calls over several VoIP apps
Moreover, security analysts suggest that there may be additional victims and data collected because C2 servers frequently erase exfiltration data.