Monokle

Monokle is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.[1]

ID: S0407
Type: MALWARE
Platforms: Android
Contributors: Jörg Abraham, EclecticIQ
Version: 1.2
Created: 04 September 2019
Last Modified: 01 November 2021

Techniques Used

Domain ID Name Use
Mobile T1435 Access Calendar Entries

Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.[1]

Mobile T1433 Access Call Log

Monokle can retrieve call history.[1]

Mobile T1432 Access Contact List

Monokle can retrieve the device's contact list.[1]

Mobile T1438 Alternate Network Mediums

Monokle can be controlled via email and SMS from a set of "control phones."[1]

Mobile T1418 Application Discovery

Monokle can list applications installed on the device.[1]

Mobile T1616 Call Control

Monokle can be controlled via phone call from a set of "control phones."[1]

Mobile T1429 Capture Audio

Monokle can record audio from the device's microphone and can record phone calls, specifying the output audio quality.[1]

Mobile T1512 Capture Camera

Monokle can take photos and videos.[1]

Mobile T1533 Data from Local System

Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.[1]

Mobile T1447 Delete Device Data

Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.[1]

Mobile T1446 Device Lockout

Monokle can reset the user's password/PIN.[1]

Mobile T1617 Hooking

Monokle can hook itself to appear invisible to the Process Manager.[1]

Mobile T1417 Input Capture

Monokle can record the user's keystrokes.[1]

Mobile T1430 Location Tracking

Monokle can track the device's location.[1]

Mobile T1400 Modify System Partition

Monokle can remount the system partition as read/write to install attacker-specified certificates.[1]

Mobile T1507 Network Information Discovery

Monokle can retrieve nearby cell tower and Wi-Fi network information.[1]

Mobile T1410 Network Traffic Capture or Redirection

Monokle can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.[1]

Mobile T1406 Obfuscated Files or Information

Monokle uses XOR to obfuscate its second stage binary.[1]

Mobile T1544 Remote File Copy

Monokle can download attacker-specified files.[1]

Mobile T1513 Screen Capture

Monokle can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. Monokle can also abuse accessibility features to read the screen to capture data from a large number of popular applications.[1]

Mobile T1426 System Information Discovery

Monokle queries the device for metadata such as make, model, and power levels.[1]

Mobile T1422 System Network Configuration Discovery

Monokle checks if the device is connected via Wi-Fi or mobile data.[1]

References