Android Monokle Malware

Original Issue Date:- July 29, 2019
Virus Type:-Trojan
Severity:- High

A new mobile remote access trojan (RAT) for Android called Monokle, has been reported using novel techniques to exfiltrate data. Monokle uses a range of intrusive capabilities to conduct various types of cyber attacks. The trojan is distributed to targets via fake apps camouflaged as genuine apps such as Google Play, Skype, UC Browser, Pornhub, etc

So far Monokle is directed only against Android devices. The researchers found several references to a planned iOS version, including unused commands and data transfer objects in its source code. Typically,victims are infected when they download trojanised versions of what appear to be legitimate Android applications that otherwise operate as intended..

The attacker can use Monokle to steal the following information:

  • It has the ability to self-sign trusted certificates to intercept encrypted SSL traffic and does not require any root access to exfiltrate data.
  • A phone's lockscreen activity can be used to obtain passwords to steal personal information as well as gain access to third party apps
  • It uses predictive-text dictionaries of the user to gain access to the target's topic of interest.
  • If the attacker gains access to the root of the target's phone, it can install additional attackerspecified certificates to the trusted certificates allowing man-in-the-middle (MITM) attacks against TLS traffic.
  • The attacker will be able to gain access to the target's contacts, calendar information, record audio and calls, take screenshots, photos, videos, etc.
  • The attacker can also retrieve emails, browsing histories, accounts, passwords, screen recording, etc.
  • Other capabilities include keylogging, deleting arbitrary files, executing arbitrary codes, rebooting the device.


Countermeasures:

  • Do not download and install applications from untrusted sources [offered via unknown websites/ links on unscrupulous messages]. Install applications downloaded from reputed application market only.
  • Install and maintain updated antivirus solution on android devices. Scan the suspected device with antivirus solutions to detect and clean infections.
  • Prior to downloading / installing apps on android devices (even from Google Play Store), Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
  • Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
  • In settings, do not enable installation of apps from "Untrusted Sources".
  • Exercise caution while visiting trusted/untrusted sites for clicking links.
  • Install Android updates and patches as and when available from Android device vendors.
  • Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS.
  • Do not download or open attachment in emails received from untrusted sources or unexpectedly received from trusted users.
  • Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
  • Confirm that the banking app you’re using is the official, verified version.
  • If anything looks awry or suddenly unfamiliar, check in with your bank’s customer service team.
  • Use two-factor authentication if it’s available.
  • Make sure you have a strong AI-powered mobile antivirus installed to detect and block this kind of tricky malware if it ever makes its way onto your system.
  • Refer to security best practices for mobile Phone users:
    http://www.cyberswachhtakendra.gov.in/documents/Mobile_phone_Security.pdf


References: