June 7, 2023

Researchers has discovered a new Android surveillance tool and  attributed to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

The tool dubbed as BouldSpy, the mobile malware has been used by threat actors to target minority groups and potentially those involved in illegal trafficking activities. BouldSpy has extensive surveillance capabilities, such as recording calls, capturing photos, and monitoring account usernames across various platforms.

BouldSpy keeps its application alive by turning off battery management and establishing CPU wake locks while simultaneously leveraging Android accessibility services to perform most of its surveillance actions.  By abusing CPU wake locks and disabling battery management features, the spyware prevents the device from shutting down its activities, causing faster battery drainage for victims.

Advertisements

When installed, it establishes a network connection with its C2 server, and exfiltrates cached data from the victim’s device. A background service manages most of the surveillance functionality and restarts itself when its parent activity is stopped by either the user or the Android system.

The targeted surveillance of minority groups within Iran may lead to further discrimination and suppression, amplifying existing social and political tensions.

Only few of BouldSpy samples, all distributed outside the Google Play Store via third-party services. The spyware has not been distributed through Google Play, making it more challenging for users to identify and avoid. Moreover, this shows the danger of sideloading applications from unknown third-party sources.

This research was documented by researchers from Lookout and detailed by Zimperium

Indicators of Compromise

  • 5168610b73f50661b998e95a74be25bfe749b6ef
  • af999714aec75a64529c59f1e8de4c669adfa97a
  • 965d118cb80ccdbc6e95e530a314cb4b85ae1b42
  • f3b135555ae731b5499502f3b69724944ab367d5
  • 02ac97b090a6b2a1b14bad839deec7d966f5642c
  • da3c0cfd432b53a602ce7dc5165848b88411d9c9
  • 75a6c724f43168346b177a60c81ca179a436246f
  • 08fd24e4514793b29b7bd2c29f9e5c15ffc9bada
  • 73c93be188f88755ed690266063223e141fdb9ff
  • 7537ac1658100efaf6558eed4a3f732208b393ab
  • 7208dc915a800fe5c5eaf599084147a8afeba991
  • 8afc495b6632ce9ef812a971f71ae82d39d7e7e9
  • 43f5506b960914ab76ffaf531cdd51dd86df22f2
  • dd66dcb8db678d10f9589a12745ec2e575e4f5eb
  • 69894818ba1dc8bfffe9fb384abf77d991379aaa
  • db650b0eaffa21b63ce84d31b2bd09720da9491e
  • 67a3def7ad736df94c8c50947f785c0926142b69
  • 63ff362f58c7b6dec8ea365a5dbc6a88ec09dacf
  • bc826967c90acc08f1f70aa018f5d13f31521b92
  • 02c4969c45fd7ac913770f9db075eadf9785d3a7
  • 5446e0cf2de0a888571ef1d521b9ada7b34ef33e
  • 43a92743c8264a8d06724ab80139c0d31e8292ee
  • 149.56.92[.]127
  • 192.99.251[.]49
  • 192.99.251[.]50
  • 192.99.251[.]51
  • 192.99.251[.]54
  • 84.234.96[.]117
Tags:

1 thought on “BouldSpy – Android Spyware Attributed to Iran

  1. Pingback: BouldSpy – Android Spyware Attributed to Iran - YodaSec Expose

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: