BouldSpy – Android Spyware Attributed to Iran

Researchers has discovered a new Android surveillance tool and  attributed to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

The tool dubbed as BouldSpy, the mobile malware has been used by threat actors to target minority groups and potentially those involved in illegal trafficking activities. BouldSpy has extensive surveillance capabilities, such as recording calls, capturing photos, and monitoring account usernames across various platforms.

BouldSpy keeps its application alive by turning off battery management and establishing CPU wake locks while simultaneously leveraging Android accessibility services to perform most of its surveillance actions.  By abusing CPU wake locks and disabling battery management features, the spyware prevents the device from shutting down its activities, causing faster battery drainage for victims.

When installed, it establishes a network connection with its C2 server, and exfiltrates cached data from the victim’s device. A background service manages most of the surveillance functionality and restarts itself when its parent activity is stopped by either the user or the Android system.

The targeted surveillance of minority groups within Iran may lead to further discrimination and suppression, amplifying existing social and political tensions.

Only few of BouldSpy samples, all distributed outside the Google Play Store via third-party services. The spyware has not been distributed through Google Play, making it more challenging for users to identify and avoid. Moreover, this shows the danger of sideloading applications from unknown third-party sources.

This research was documented by researchers from Lookout and detailed by Zimperium

Indicators of Compromise

• 5168610b73f50661b998e95a74be25bfe749b6ef
• af999714aec75a64529c59f1e8de4c669adfa97a
• 965d118cb80ccdbc6e95e530a314cb4b85ae1b42
• f3b135555ae731b5499502f3b69724944ab367d5
• 02ac97b090a6b2a1b14bad839deec7d966f5642c
• da3c0cfd432b53a602ce7dc5165848b88411d9c9
• 75a6c724f43168346b177a60c81ca179a436246f
• 08fd24e4514793b29b7bd2c29f9e5c15ffc9bada
• 73c93be188f88755ed690266063223e141fdb9ff
• 7537ac1658100efaf6558eed4a3f732208b393ab
• 7208dc915a800fe5c5eaf599084147a8afeba991
• 8afc495b6632ce9ef812a971f71ae82d39d7e7e9
• 43f5506b960914ab76ffaf531cdd51dd86df22f2
• dd66dcb8db678d10f9589a12745ec2e575e4f5eb
• 69894818ba1dc8bfffe9fb384abf77d991379aaa
• db650b0eaffa21b63ce84d31b2bd09720da9491e
• 67a3def7ad736df94c8c50947f785c0926142b69
• 63ff362f58c7b6dec8ea365a5dbc6a88ec09dacf
• bc826967c90acc08f1f70aa018f5d13f31521b92
• 02c4969c45fd7ac913770f9db075eadf9785d3a7
• 5446e0cf2de0a888571ef1d521b9ada7b34ef33e
• 43a92743c8264a8d06724ab80139c0d31e8292ee
• 149.56.92[.]127
• 192.99.251[.]49
• 192.99.251[.]50
• 192.99.251[.]51
• 192.99.251[.]54
• 84.234.96[.]117